Skip to main content
Open this photo in gallery:

A pedestrian passes an Indigo bookstore in Laval, Que.Ryan Remiorz/The Canadian Press

Current and former employees at Canada’s largest bookstore chain, Indigo Books & Music Inc. IDG-T, have had their social insurance numbers, financial details and other personal information leaked after a ransomware attack took down the retailer’s website.

Late on Thursday, Indigo president Andrea Limbardi wrote to the company’s staffers with her signature at the bottom of a lengthy memo. “We recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16, 2023, and Feb. 8, 2023,” Ms. Limbardi said.

Each employee’s name, e-mail address, phone number, birth date, home address, postal code, social insurance number, direct deposit information, the name of their financial institution, bank account number and branch number have all been breached, Indigo noted.

“We know this may be concerning news to receive and are deeply sorry for this breach of your information,” Ms. Limbardi said in her internal memo, obtained by The Globe and Mail. She warned Indigo employees that they may have potentially become a victim of identity theft or fraud.

Ms. Limbardi also suggested that Indigo employees face the risk of having their personal information leaked to the dark web, a part of the internet that requires specific software and computer configurations for access. Dark websites are known to be used for illicit purposes, such as child pornography, the illegal drug market, stolen identities and fraud.

“You should consider contacting your local police and visit the Canadian Anti-Fraud Centre for support,” Ms. Limbardi said. “You should also review the RCMP’s Identity Theft and Identity Fraud Victim Assistance Guide for steps you can take.”

Indigo spokesperson Melissa Perri confirmed that the memo is authentic. “Earlier this month, Indigo experienced a ransomware attack that affected some of our systems. We also shut down some of our systems as a precaution,” said an Indigo statement provided by Ms. Perri on Friday.

“While we have no reason to believe customer data has been improperly accessed, our investigation found that some employee data was. We are in the process of notifying all affected employees,” the Indigo statement said, without noting how far back the breach goes for former employees.

“We have also notified and are co-operating with law enforcement.”

On its website, Indigo claims customer credit and debit card information was not compromised. “We do not store full credit card or debit card numbers in our systems,” the website states, as of Friday.

In the memo, Indigo said it is providing employees with what it called “additional assurance and protection” in the form of “assistance” from TransUnion of Canada Inc., a consumer reporting agency, which will help notify workers of “critical changes” to their credit scores, such as potentially fraudulent activity.

“Through TransUnion, we have arranged a two-year subscription to TransUnion myTrueIdentity, an online monitoring service, at no cost to you,” Ms. Limbardi told Indigo staffers and former employees, providing them with activation codes for the subscription in her memo.

The subscription also provides “monitoring of surface, social, deep and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft,” Ms. Limbardi’s memo noted.

Little remains known about who is behind the cyberattack at Indigo. The company only this week admitted that the “cybersecurity incident” it’s been facing this month is a “ransomware attack,” but Indigo would not say whether it has paid a ransom yet, or whether it will in the future.

Still, Thursday’s memo from Ms. Limbardi did not describe the incident as a ransomware attack. “We detected unauthorized access to some of our computer systems. We acted quickly to stop this event and prevent further unauthorized access. We worked with external experts to investigate and resolve the situation as quickly as possible. Every step of the way, the protection of employee and customer data and privacy has been a top priority,” the memo to employees notes, in a short section with the headline: “What happened?”

On Feb. 8, Indigo’s e-commerce operations were entirely taken down by what the company described as a cybersecurity incident. For over a week, the Toronto-based retailer said its customers across the country could not access their orders. Even those shopping in person at Indigo locations were unable to access merchandise on shelves, because the incident affected computers in stores, too.

Since then, Indigo has created a temporary new website, powered by Shopify Inc., the Ottawa-based e-commerce platform. Indigo has also changed its in-store payment technology to resume accepting debit and credit cards, as well as gift cards.

Indigo’s new website only allows customers to browse. They are then unable to make any purchases beyond “select books” online.

The cyberattack at Indigo follows several other high-profile incidents in recent months, such as those at the Liquor Control Board of Ontario, Toronto’s Hospital for Sick Children and grocery retailer Empire Co. Ltd., which operates Sobeys, Safeway, IGA and FreshCo. Experts say these attacks highlight the increasing costs of cybersecurity for businesses and public-sector organizations, and emphasize their lack of preparation for such incidents.

With a report from Susan Krashinsky Robertson

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe