Indigo Refuses to Pay in Ransomware Attack, Employee Data to Hit Dark Web

Last week Indigo revealed its recent ransomware attack resulted in employee data being leaked, including social insurance numbers, financial details, personal info, addresses and more. Employees were told to contact police and anti-fraud services.

The cyberattack took down Indigo’s website and also disrupted digital payments in stores temporarily. Since then, Indigo has restored payments at stores but also set up a Shopify website online to replace its old site that’s no longer available.

According to a new memo sent to current employees late Wednesday, Indigo president Andrea Limbardi revealed more about the ransomware attack, reports The Globe and Mail.

Indigo said its network was “illegally accessed using ransomware software known as LockBit,” a global ransomware group.

“We have been informed that the criminals responsible for this attack intend to make some or all of the data they have stolen available using the dark web as early as tomorrow,” said the letter seen by The Globe and Mail.

“Although we do not know the identity of the criminals, some criminal groups using LockBit are located in or affiliated with Russian organized crime,” she noted.

Indigo confirmed the memo was authentic and said in a statement it will not be paying the ransom, citing there was no way of knowing if it could end up “in the hands of terrorists or others on sanctions lists.”

“We have no indication that there is any risk to customers because of this illegal attack,” said Indigo.

The company explained its reasons for not paying the ransom, citing U.S. and Canadian law enforcement practices that discourage paying, as it rewards criminal activity. There’s also no guarantee stolen data will be removed or deleted.

Indigo also added it is now working with the Federal Bureau of Investigation in the U.S. regarding the attack, along with Canadian authorities.

“At Indigo, our staff are at the very heart of our organization, and we take their privacy and security seriously. We deeply regret this incident and are committed to ensuring employees have the support they need,” says the Indigo website, which has been updated with the same info from the memo sent to employees.