Indigo Employee Data Leaked in Ransomware Attack: Contact Police and Anti-Fraud, Says Memo

Past and present employees at Canada’s largest bookstore chain Indigo have had their social insurance numbers, financial details, and other sensitive data leaked in a recent ransomware attack.

Last week, the retailer took its website offline, citing a “cybersecurity incident”, which also resulted in its stores across Canada only accepting cash payments temporarily, before being restored to regular debit, credit card and gift card payments.

Now according to The Globe and Mail, employees’ names, e-mail addresses, phone numbers, birth dates, home addresses, postal codes, social insurance numbers, direct deposit information, the name of their financial institutions, bank account numbers, and branch numbers have all been breached.

“We recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16, 2023, and Feb. 8, 2023,” wrote Indigo president Andrea Limbardi in a staff memo, obtained by The Globe and Mail. Indigo confirmed the memo was authentic.

“We know this may be concerning news to receive and are deeply sorry for this breach of your information,” Ms. Limbardi added.

“You should consider contacting your local police and visit the Canadian Anti-Fraud Centre for support,” said the memo to employees.

The memo added that Indigo is providing support with what it called “additional assurance and protection” in the form of “assistance” from TransUnion of Canada.

“Through TransUnion, we have arranged a 2-year subscription to TransUnion myTrueIdentity, an online monitoring service, at no cost to you,” Ms. Limbardi noted.

Since the attack, Indigo has created a temporary new website, powered by Ottawa-based Shopify and its e-commerce platform. However, only select books are available for purchase online.

The retailer has also changed its in-store payment technology to resume accepting debit and credit card payments, as well as gift cards.