Indigo Books & Music Inc. has decided not to pay a ransom after a cyberattack took down the Canadian retailer’s entire e-commerce operations last month and breached sensitive information about the bookstore chain’s current and former employees.
In an internal letter sent to staff by e-mail late Wednesday, Indigo president Andrea Limbardi said the company’s network was “illegally accessed using ransomware software known as LockBit,” a specific piece of malware that carries the same name as the criminal organization behind it, which has ties to Russia.
“We have been informed that the criminals responsible for this attack intend to make some or all of the data they have stolen available using the dark web as early as tomorrow,” Ms. Limbardi said in the internal letter, obtained by The Globe and Mail.
“Although we do not know the identity of the criminals, some criminal groups using LockBit are located in or affiliated with Russian organized crime,” she added.
A statement provided by Indigo spokesperson Melissa Perri confirmed that Ms. Limbardi’s letter is authentic.
“Given we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists, Indigo has determined it would be inappropriate to pay the ransom. We have no indication that there is any risk to customers because of this illegal attack,” the statement said.
In Ms. Limbardi’s internal letter, she provided more details about “a number of reasons” behind the decision by Indigo not to pay the ransom.
“The privacy commissioners do not believe that paying a ransom protects those whose data has been stolen, as there is no way to guarantee the deletion/protection of the data once the ransom is paid. Both U.S. and Canadian law enforcement discourage organizations from paying a ransom as it rewards criminal activity and encourages others to engage in this activity,” Ms. Limbardi said in the letter.
Ms. Limbardi said last week that Indigo was working with Canadian law enforcement. In her letter on Wednesday, which was only sent to current staffers and not those who had formerly worked for the retailer, Ms. Limbardi said Indigo is also working with the Federal Bureau of Investigation in the United States in response to the attack.
Last week, Ms. Limbardi first told Indigo’s current and former employees that they face the risk of having their personal information leaked to the dark web, a part of the internet that requires specific computer configurations for access and is commonly used for illicit purposes, such as child pornography, the illegal organ trade, stolen identities and fraud.
Thousands of staffers work at Indigo locations across the country. Their home addresses, postal codes, social insurance numbers, birth dates, direct deposit information, bank account numbers, names, e-mail addresses and phone numbers have all been breached, Indigo said last week.
LockBit is the same group that was behind the cyberattack on the The Hospital for Sick Children in Toronto, for which it later issued a rare apology to SickKids.
What is LockBit, the malicious software used against Indigo and SickKids?
The notorious group is believed to be responsible for at least 22 per cent of all attributed ransomware attacks in Canada last year, according to a report last month from Canada’s cyber intelligence agency, the Communications Security Establishment.
On Feb. 8, Indigo’s website was completely taken down by what the company last week admitted was a ransomware attack. Customers continue to face issues accessing their online orders. And for at least around a week, even those shopping in person were affected because the breach had shut down computers in stores, as well.
Indigo has created a temporary website since then. It is now able to accept in-store payment through debit, credit cards and gift cards. But the new website only allows customers to browse, with the ability to purchase “select books” online. The company’s shipping and delivery services also continue to be affected by the attack.