Present and former workers at Canada’s largest bookstore chain, Indigo Books & Music Inc. IDG-T, have had their social insurance coverage numbers, monetary particulars and different private data leaked after a ransomware assault took down the retailer’s web site.
Late on Thursday, Indigo president Andrea Limbardi wrote to the corporate’s staffers together with her signature on the backside of a prolonged memo. “We not too long ago realized that your private data could have been acquired by an unauthorized third get together between Jan. 16, 2023, and Feb. 8, 2023,” Ms. Limbardi mentioned.
Every worker’s title, e-mail deal with, telephone quantity, beginning date, dwelling deal with, postal code, social insurance coverage quantity, direct deposit data, the title of their monetary establishment, checking account quantity and department quantity have all been breached, Indigo famous.
“We all know this can be regarding information to obtain and are deeply sorry for this breach of your data,” Ms. Limbardi mentioned in her inside memo, obtained by The Globe and Mail. She warned Indigo workers that they could have probably turn into a sufferer of identification theft or fraud.
Ms. Limbardi additionally prompt that Indigo workers face the danger of getting their private data leaked to the darkish net, part of the web that requires particular software program and pc configurations for entry. Darkish web sites are identified for use for illicit functions, similar to youngster pornography, the unlawful drug market, stolen identities and fraud.
“You must take into account contacting your native police and go to the Canadian Anti-Fraud Centre for assist,” Ms. Limbardi mentioned. “You must also assessment the RCMP’s Id Theft and Id Fraud Sufferer Help Information for steps you may take.”
Indigo spokesperson Melissa Perri confirmed that the memo is genuine. “Earlier this month, Indigo skilled a ransomware assault that affected a few of our methods. We additionally shut down a few of our methods as a precaution,” mentioned an Indigo assertion offered by Ms. Perri on Friday.
“Whereas we now have no cause to imagine buyer information has been improperly accessed, our investigation discovered that some worker information was. We’re within the means of notifying all affected workers,” the Indigo assertion mentioned, with out noting how far again the breach goes for former workers.
“We now have additionally notified and are co-operating with legislation enforcement.”
On its web site, Indigo claims buyer credit score and debit card data was not compromised. “We don’t retailer full bank card or debit card numbers in our methods,” the web site states, as of Friday.
Within the memo, Indigo mentioned it’s offering workers with what it known as “extra assurance and safety” within the type of “help” from TransUnion of Canada Inc., a client reporting company, which can assist notify employees of “important adjustments” to their credit score scores, similar to probably fraudulent exercise.
“By TransUnion, we now have organized a two-year subscription to TransUnion myTrueIdentity, a web-based monitoring service, for free of charge to you,” Ms. Limbardi instructed Indigo staffers and former workers, offering them with activation codes for the subscription in her memo.
The subscription additionally supplies “monitoring of floor, social, deep and darkish web sites for probably uncovered private, identification and monetary data as a way to assist shield shoppers towards identification theft,” Ms. Limbardi’s memo famous.
Little stays identified about who’s behind the cyberattack at Indigo. The corporate solely this week admitted that the “cybersecurity incident” it’s been dealing with this month is a “ransomware assault,” however Indigo wouldn’t say whether or not it has paid a ransom but, or whether or not it can sooner or later.
Nonetheless, Thursday’s memo from Ms. Limbardi didn’t describe the incident as a ransomware assault. “We detected unauthorized entry to a few of our pc methods. We acted rapidly to cease this occasion and forestall additional unauthorized entry. We labored with exterior consultants to research and resolve the state of affairs as rapidly as attainable. Each step of the best way, the safety of worker and buyer information and privateness has been a prime precedence,” the memo to workers notes, in a brief part with the headline: “What occurred?”
On Feb. 8, Indigo’s e-commerce operations had been completely taken down by what the corporate described as a cybersecurity incident. For over per week, the Toronto-based retailer mentioned its clients throughout the nation couldn’t entry their orders. Even these procuring in individual at Indigo areas had been unable to entry merchandise on cabinets, as a result of the incident affected computer systems in shops, too.
Since then, Indigo has created a short lived new web site, powered by Shopify Inc., the Ottawa-based e-commerce platform. Indigo has additionally modified its in-store fee know-how to renew accepting debit and bank cards, in addition to present playing cards.
Indigo’s new web site solely permits clients to browse. They’re then unable to make any purchases past “choose books” on-line.
The cyberattack at Indigo follows a number of different high-profile incidents in current months, similar to these on the Liquor Management Board of Ontario, Toronto’s Hospital for Sick Kids and grocery retailer Empire Co. Ltd., which operates Sobeys, Safeway, IGA and FreshCo. Specialists say these assaults spotlight the rising prices of cybersecurity for companies and public-sector organizations, and emphasize their lack of preparation for such incidents.
With a report from Susan Krashinsky Robertson