Canadian bookstore chain Indigo Books & Music Inc. will not pay ransom requested by hackers behind a Feb. 8 cyberattack that compromised employee data and continues to hamper online operations, the company said Thursday.
The retailer said it still does not know the identity of the attackers, but the investigation so far has revealed the software they used – and that stolen employee data could be posted to the dark web on Thursday.
“We have been informed that the criminals responsible for this attack may make some or all of the data they have stolen available using the dark web as early as today,” the company said in a Thursday statement to BNN Bloomberg.
“Given we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists, Indigo has determined it would be inappropriate to pay the ransom.”
The unidentified hackers used software associated with infamous global ransomware group LockBit, the company said.
Indigo said it is working with Canadian police services and the U.S. Federal Bureau of Investigation (FBI) in response to the attack that saw the company halt its website and mobile app operations.
The company said it decided not to pay the requested ransom on the advice of privacy commissioners and law enforcement, as paying the ransom “rewards criminal activity” and does not guarantee the stolen data would be protected.
Ransomware uses software to encrypt the victims’ digital files and then demands payment to unlock them. The FBI has described LockBit as one of the world’s most active and destructive ransomware groups.
In an unusual move for the organization, LockBit apologized earlier this year for an attack by one of its “partners” that disrupted operations at Toronto’s Hospital for Sick Children, and offered to unlock the hospital’s data.
Other global LockBit victims include the U.K.’s postal service, software firm ION Trading UK and its clients and police departments and government agencies in the U.S.
Customer data was not compromised in the Indigo attack, the company has said, but some data from current and former employees was. It’s offering affected employees two years of free credit monitoring and identity theft protection from agency TransUnion of Canada.
Now three weeks after the attack, Indigo’s web operations still aren’t fully back online.
Only “select” book titles are available to order online, customers cannot use gift cards for online orders or access their online “wish lists,” and the store’s mobile app is not currently available.
The company said it can’t provide delivery status updates for orders placed online before Feb. 8 or allow people to cancel online orders, among other limitations.
With files from Bloomberg News and The Canadian Press.
Advertisement