Indigo refuses to pay ransom, warns stolen employee data may be posted to dark web


Published March 2, 2023 at 5:58 pm

TORONTO — Indigo Books & Music Inc. is refusing to pay a ransom after current and former employees’ data was hijacked in a cyberattack last month.

The bookstore chain is now warning that the stolen information may be posted on the dark web as early as today.

The company says it decided not to pay the ransom as it “cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.”

Indigo says its investigation has found no evidence that customers’ personal information, such as credit card numbers, has been accessed.

The retailer says it’s providing two years of identity theft monitoring to current and former employees impacted by the security breach.

Indigo says its website and digital payment system was attacked in early February using a ransomware software known as “LockBit.”

This report by The Canadian Press was first published March 2, 2023.

Companies in this story: (TSX:IDG)

The Canadian Press

insauga's Editorial Standards and Policies advertising