Indigo Books & Music Inc. is not doing enough to protect and assist its current and former employees after a ransomware attack breached their personal and financial information, says the union representing some workers at the Canadian retailer.
In an internal letter sent to Indigo staffers last week, Chapter 1006A of the United Food and Commercial Workers International Union said it has sought legal counsel to explore remedies beyond what the national bookstore chain is currently providing. The two-year credit monitoring subscription that Indigo is offering is “simply not enough,” the union said.
Indigo admitted last week that “the criminals responsible” for the cyberattack, which took down the company’s entire e-commerce operations in early February, said they have leaked stolen employee data to the dark web – a part of the internet used for illicit purposes, such as identity theft, the illegal organ trade and child pornography. The leak includes employees’ home addresses, postal codes, social insurance numbers, dates of birth, direct deposit information, bank account numbers, names, e-mail addresses and phone numbers, which have all been breached. Indigo now also believes the leak may have included medical information and immigration data for some workers as well.
“We demand that the company support you in cases of possible identity theft and any damages that may occur relating to the breach,” UFCW representative Daiana Dumitru wrote in an e-mail to Indigo employees Thursday evening that was obtained by The Globe and Mail.
In her e-mail, Ms. Dumitru attached a copy of a letter that the union had sent to Indigo. “The company’s communication leaves several questions unanswered, most importantly, whether the company is aware of any unauthorized use of potentially affected personal information,” she said in the attached letter.
“It is also unclear from the company’s communications what measures are being undertaken to strengthen the safeguard of employee personal information.”
In a statement to The Globe on Friday, Indigo defended its offer for staffers caught up in the cybersecurity incident. “Indigo has followed industry best practices in providing two years of complimentary myTrueIdentity credit monitoring and identity theft protection services, including identity theft insurance, provided by TransUnion, and the company has been working with third-party experts to strengthen our cybersecurity practices, enhance data security measures, and review our existing controls.”
Indigo also addressed what the UFCW described in its letter as faulty communications from the company. “At Indigo, our staff are at the very heart of our organization, and we take their privacy and security seriously,” the company said. “We strongly believe in the importance of providing timely and transparent updates to our teams. We continue to work to strike a balance between the necessity for timely updates and the necessity for accurate updates, and continue to work to address questions and concerns as soon as we are able.”
UFCW spokesperson Joel Thelosen told The Globe the union is getting “increasingly alarmed as additional information comes to light on the scope of Indigo’s data breach, including medical and immigration information,” which the company only acknowledged earlier this week.
Indigo locations are not fully unionized across Canada. Only some stores began to organize in the past few years amid growing concerns over labour rights during the pandemic. The UFCW said it currently represents roughly 200 Indigo workers at four locations in the Greater Toronto Area.
Greta Whipple took on a lead role in the unionization effort at her Indigo store in Toronto’s Yorkdale Shopping Centre before she left the company last year. “It is traumatizing enough to have had all those bad memories from there. But then to be dragged back into this mess for a place I have since moved on from is just heartbreaking,” she said in an interview.
“And somehow they believe this bare minimum is enough for all of us former and current workers?”
In an internal letter sent only to current employees, Indigo said on March 1 that its network was “illegally accessed using ransomware software known as LockBit,” a piece of malware with ties to Russian organized crime. The company added that it is working with the U.S. Federal Bureau of Investigation, as well as Canadian law enforcement, and will not be paying a ransom.
Editor’s note: A previous version of this article reported that Indigo employee data has been leaked to the dark web. This version has been updated to clarify that the cyberattackers said they had leaked the stolen data.