Canada’s largest bookstore chain says it won’t pay ransom to the online group claiming responsibility for the cyberattack that stole at least some personal data of current and former employees of Indigo Books & Music, and which likely caused the recent downing of its website.
A recent post on the dark web claiming to be from people affiliated with the ransomware group LockBit says the data will be released Friday at 3:39 p.m. ET.
In a statement to CBC News, the company said while it has been informed that “some or all of the data” could become available, it does not believe it’s appropriate to pay the ransom because it cannot guarantee the money would not “end up in the hands of terrorists.”
The retailer has said that it does not believe customer data was stolen in this attack.
Both current and former employees of Indigo, as well as its Chapters and Coles stores, have confirmed to CBC News they received communications from the company stating their personal data may have been stolen in the attack.
In late February, current and some former Indigo workers were offered two years of identity theft monitoring.
The company did not indicate whether this offer would change because of the threatened release of the data, but said in its statement that its “priority remains the safety and security of our current and former employees.”
In an email to employees provided to CBC News, Indigo president Andrea Limbardi wrote that “privacy commissioners do not believe that paying a ransom protects those whose data has been stolen.”
CBC News has reached out to the Privacy Commissioner of Canada to confirm its stance on these matters, but in a previous statement the Commissioner’s office said it was aware of the privacy breach at Indigo and remains in contact with the company.
Indigo added that it does not know the identity of the group behind the attack. LockBit has been involved in previous cyberattacks, including one that targeted Toronto’s Hospital for Sick Children.
Indigo has not confirmed the downing of its website was because of the attack. At the time, the chain’s brick-and-mortar stores were also unable to process credit, debit or gift card transactions. Hours later, the company posted online that it “experienced a cybersecurity incident.”
Physical stores were back up after the following weekend. The website was back to taking some purchases last week.