Skip to content

Indigo refuses to pay ransom, warns stolen employee data may be posted to dark web

TORONTO — Indigo Books & Music Inc. is refusing to pay a ransom after current and former employees' data was hijacked in a cyberattack last month.
2023030211030-6400c82e3f8886a8ace2e1d4jpeg
An Indigo bookstore is seen Wednesday, November 4, 2020 in Laval, Que. Indigo Books & Music Inc. is refusing to pay a ransom after current and former employees' data was hijacked in a cyberattack last month. THE CANADIAN PRESS/Ryan Remiorz

TORONTO — Indigo Books & Music Inc. is refusing to pay a ransom after current and former employees' data was hijacked in a cyberattack last month. 

The bookstore chain is now warning that the stolen information may be posted on the dark web as early as today. 

The company says it decided not to pay the ransom as it "cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists."

Indigo says its investigation has found no evidence that customers' personal information, such as credit card numbers, has been accessed.

The retailer says it's providing two years of identity theft monitoring to current and former employees impacted by the security breach.

Indigo says its website and digital payment system was attacked in early February using a ransomware software known as “LockBit."

This report by The Canadian Press was first published March 2, 2023.

Companies in this story: (TSX:IDG)

The Canadian Press