After Indigo cyberattack, the staff union is calling for more answers and help

A union representing 200 employees of Indigo Books & Music Inc. is calling on the retailer to disclose more information about the scope of its recent data breach and offer additional support to staff affected by the cyberattack.

United Food and Commercial Workers International Union Local 1006A said Saturday that it is “increasingly alarmed” by new information that has come to light about a Feb. 8 cyberattack on Canada’s biggest bookstore.

Current and former Indigo workers learned this week that their medical and immigration data were part of the breach, which the Toronto-based retailer previously said also included their names, email addresses, phone numbers, birth dates, home addresses, social insurance numbers and direct deposit information such as bank account numbers.

Read more:

Indigo still grappling with fallout one month after ransomware attack

Story continues below advertisement

Indigo blamed the attack on a ransomware software known as LockBit and warned current and past workers that their information may end up on the dark web, an underground portion of the internet used for illicit activity. It said it had not uncovered any evidence of customer information being breached.

But a letter UFCW sent to Indigo this week said several other key concerns had still not been addressed.

“The company’s communication leaves several questions unanswered, including most importantly, whether the company is aware of any unauthorized use of the potentially affected personal information,” it read.

The union representing workers at four stores in the Greater Toronto Area also asked Indigo to explain what measures it is undertaking to better safeguard data and provide additional support for workers who may face identity theft or other damages because of the attack.


Click to play video: 'Indigo under fire for turning away people without masks who are exempt'


Indigo under fire for turning away people without masks who are exempt


Indigo offered staff two years of credit monitoring last month when it first revealed the breach.

Story continues below advertisement

The union called the credit monitoring offer “commendable,” but said workers deserve more information about what other steps the company will take to protect them should their data fall into unauthorized hands and be used for nefarious purposes.

Read more:

Data breaches like Indigo’s are hitting employees, not customers. Can you sue?

“The current circumstances demand nothing less from Indigo than a genuine commitment that it will take all reasonable steps to remedy any, and all effects on employees arising out of the information breach,” the union said.

“We trust that Indigo will do the right thing in the circumstances and put the best interest of its employees first.”

In response, Indigo said it takes the privacy and security of current and former staff seriously and is working to ensure they receive up-to-date information about the attack.

“We continue to work to strike a balance between the necessity for timely updates and the necessity for accurate updates, and continue to work to address questions and concerns as soon as we are able,” the company said in a written statement.


Click to play video: 'Toronto hospital network systems restored, says outage not a result of cyberattack'


Toronto hospital network systems restored, says outage not a result of cyberattack


It added that it has been working with third-party experts to strengthen its cybersecurity practices and enhance data security measures.

Story continues below advertisement

The hack resulted in Indigo’s website and payment systems being abruptly booted offline.

The bookstore and home goods chain managed to quickly restore its payment systems and soon after launched a temporary, browsable-only website.

Indigo eventually allowed customers to purchase select books through the site and has since been gradually uploading more inventory.

&copy 2023 The Canadian Press

Leave a Reply

Your email address will not be published. Required fields are marked *