Indigo, Canada’s biggest bookstore chain, says it expects data of current and former employees stolen in a ransomware attack last month to appear on the “dark web” as soon as Thursday, but will not pay a ransom to the “criminals” responsible.
An updated section of Indigo’s website — which was stripped down in response to the breach on Feb. 8 — lists a number of reasons for not paying the ransom, including that there is no way to guarantee the data won’t be released even after the payment is received.
“We have been informed that the criminals responsible for this attack intend to make some or all of the data they have stolen available using the dark web as early as Thursday, March 2, 2023,” the company says.
“We are continuing to work closely with the Canadian police services and the FBI in the United States in response to the attack.”
The company also says it cannot be assured the ransom payment “would not end up in the hands of terrorists or others on sanctions lists.”
“Both US and Canadian law enforcement discourage organizations from paying a ransom as it rewards criminal activity and encourages others to engage in this activity,” it adds.
The dark web refers to a subset of the internet that requires a specific browser and other configurations to access. The ominously named network is not used solely for illegal activity, but is commonly used by individuals looking to evade surveillance or law enforcement efforts.
Indigo has not publicly named the individuals or group responsible for the cyberattack, which resulted in the company suspending online purchases and in-store credit, debit and gift card payments.
The Toronto-based retailer has repeatedly assured that no customer data was compromised by the incident, saying it does not store payment information.
Last week, the company publicly admitted for the first time the attack had affected the data of current and former employees, after engaging third-party experts to investigate and resolve the matter.
Workers are being offered two years of credit monitoring and identity theft protection by consumer reporting agency TransUnion of Canada at no cost.
Data breaches have become a familiar feature on the corporate and public-sector landscape, with Canadian retailers experiencing a growing number of cyberattacks in recent months.
Last week, Telus told Global News it is investigating recent claims that “a small amount” of employee information as well as company source code was posted to the dark web as part of a data breach.
Sobeys parent company Empire Co. Ltd. also suffered a security breach late last year.
The incident in November left customers unable to fill prescriptions at the chain’s pharmacies for four days, while other in-store functions like self-checkout machines, gift card use and the redemption of loyalty points were off-line for about a week.
The Liquor Control Board of Ontario experienced a “malicious” cybersecurity incident that affected online sales in January, and Toronto’s Hospital for Sick Children saw a ransomware attack disrupt operations in December.
— with files from Global News’s Craig Lord, The Canadian Press