Business

Some Indigo employee data was stolen in ransomware attack, retailer now says

A ransomware attack compromised the data of current and former employees at Canada's biggest bookstore chain, Indigo Books & Music Inc. says.

Retail giant still says customer data was not accessed, but employee information was

A woman walks past the display window of an Indigo book store.
Indigo was hit by a ransomware attack earlier this month that has halted the company's ability to process sales online. The retailer says customer data wasn't stolen but some information on employees was. (Ryan Remiorz/The Canadian Press)

A ransomware attack compromised the data of current and former employees at Canada's biggest bookstore chain, Indigo Books & Music Inc. says.

In a statement on its website, Indigo said the breach on Feb. 8 left no indication that personal customer information, such as credit card numbers, had been accessed, but that "some employee data was."

The Toronto-based retailer said it has contracted consumer reporting agency TransUnion of Canada to offer two years of credit monitoring and identity theft protection to workers at no cost.

Customers remain unable to make purchases online except for "select books," after Indigo halted website and app operations in what it referred to last week as a "cyberattack."

When the incident began more than two weeks ago, Indigo was only able to process purchases made in store with cash, but some of its services, including over-the-counter credit and debit payments as well as exchanges and returns, have since been restored.

WATCH | What we know about Indigo's 'cybersecurity incident': 

Indigo website down for nearly a week due to cyberattack

2 years ago
Duration 1:57
The website for Indigo, Canada's largest bookstore chain, has been down for almost a week due to a cybersecurity incident. Cyberattacks on businesses are becoming more common, and experts say they should beef up their security systems to avoid being targeted.

The company engaged third-party experts to investigate and resolve the matter, but did not publicly acknowledge the incident as a ransomware attack affecting employees until this week.

"Both current and former employees are being notified that their information may have been impacted," the statement reads.

Data breaches have become a familiar feature on the corporate and public-sector landscape, with Canadian retailers experiencing a growing number of cyberattacks in recent months.

Sobeys parent company Empire Co. Ltd. suffered a security breach late last year.

The incident in November left customers unable to fill prescriptions at the chain's pharmacies for four days, while other in-store functions like self-checkout machines, gift card use and the redemption of loyalty points were off-line for about a week.

Empire later said the attack was expected to cost $25 million after insurance recoveries.

The Liquor Control Board of Ontario experienced a "malicious" cybersecurity incident that affected online sales in January, and Toronto's Hospital for Sick Children saw a ransomware attack disrupt operations in December.

Add some “good” to your morning and evening.

Your weekly look at what’s happening in the worlds of economics, business and finance. Senior business correspondent Peter Armstrong untangles what it means for you, in your inbox Monday mornings.

...

The next issue of the Mind your Business will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.