Indigo won’t pay ransom for stolen employee data | CBC News
Business

Indigo won’t pay ransom for stolen employee data | CBC News

By Jessica

Canada’s largest bookstore chain says it won’t pay ransom to the online group claiming responsibility for the cyberattack that stole at least some personal data of current and former employees of Indigo Books & Music, and which likely caused the recent downing of its website. 

A recent post on the dark web claiming to be from people affiliated with the ransomware group LockBit says the data will be released Friday at 3:39 p.m. ET.

In a statement to CBC News, the company said while it has been informed that “some or all of the data” could become available, it does not believe it’s appropriate to pay the ransom because it cannot guarantee the money would not “end up in the hands of terrorists.”

The retailer has said that it does not believe customer data was stolen in this attack.

Both current and former employees of Indigo, as well as its Chapters and Coles stores, have confirmed to CBC News they received communications from the company stating their personal data may have been stolen in the attack.

In late February, current and some former Indigo workers were offered two years of identity theft monitoring. 

A screengrab showing ransomware group LockBit's forum, where it threatens to release data stolen from Indigo if a ransom is not paid by 3:39 PM Eastern Time on March 2, 2023.
A recent message posted on the dark web says the data will be released on Friday. (Screenshot)

The company did not indicate whether this offer would change because of the threatened release of the data, but said in its statement that its “priority remains the safety and security of our current and former employees.”

In an email to employees provided to CBC News, Indigo president Andrea Limbardi wrote that “privacy commissioners do not believe that paying a ransom protects those whose data has been stolen.”

CBC News has reached out to the Privacy Commissioner of Canada to confirm its stance on these matters, but in a previous statement the Commissioner’s office said it was aware of the privacy breach at Indigo and remains in contact with the company. 

Indigo added that it does not know the identity of the group behind the attack. LockBit has been involved in previous cyberattacks, including one that targeted Toronto’s Hospital for Sick Children.

Indigo has not confirmed the downing of its website was because of the attack. At the time, the chain’s brick-and-mortar stores were also unable to process credit, debit or gift card transactions. Hours later, the company posted online that it “experienced a cybersecurity incident.” 

Physical stores were back up after the following weekend. The website was back to taking some purchases last week.

For all the latest business News Click Here 

Read original article here

Denial of responsibility! TechAI is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Jessica 81350 posts 0 comments