The deadline has come for Indigo Books to pay a ransom or risk the public release of employees’ personal information without announcing the stolen data, but both privacy advocates and a cybersecurity analyst say that doesn’t mean there are any fewer risks for Canadians affected by a data breach.
Canada’s largest bookstore chain said Wednesday night that it will not accept payment requests from an online group claiming affiliation with ransomware site LockBit, because it cannot guarantee that the money “will not end up in the hands of terrorists.”
The hacker group has indicated that it will release all of the stolen information publicly, and a countdown timer posted on multiple versions of the dark web forum LockBit stated that the data would be released on Thursday at 3:39 PM ET.
After the Thursday afternoon deadline passed, the LockBit forums said the data had been released. However, both CBC News and an independent security analyst were unable to find the actual data available to access. CBC reached out to Indigo to confirm if it was aware of whether or not the data was released, but did not respond in time for publication.
Just because the information hasn’t apparently been released doesn’t mean the data is safe or secure — and it certainly doesn’t mean that the data won’t be released in the future, according to Chester Wisniewski, chief field technology officer for international cybersecurity firm Sophos.
“They are criminals, after all. They are under no obligation to do anything they say they will do,” said Wisniewski, who is based in Vancouver.
He noted that employee data must be assumed to have been compromised even if it has not been made public.
Several current and former Indigo workers told CBC News they worried about what would happen if information such as emails, home addresses, social security numbers and bank account details were made public. Indigo has previously told employees that these are just examples of some of the stolen data.
Indigo has offered some current and former employees two years of credit protection.
Megan, who worked at Indigo-owned stores until 2020, fears that if her identity is compromised because of this stolen data, she could face consequences forever. CBC agreed not to release her last name due to privacy concerns.
“There was no kind of assurance whatsoever from Indigo to me or any of my former co-workers as to what their plans were,” she said in an interview Thursday morning.
In a statement to CBC News on Wednesday, the company said it “will continue to address any concerns that may arise.”
But Megan says the two-year plan to monitor her credit history is not enough.
“I can’t report it years later if I want to buy a house,” she said. Oh, I may have been scammed years ago by a company I haven’t worked for in ten years.
“It definitely makes me a little bit more scared to, I guess, think about the future, because this is something that will probably follow me for the rest of my life.”
Companies Should ‘Inventory’ Information: The Privacy Expert
Part of the reason Canadians are vulnerable to identity theft due to cyberattacks is because corporate entities like Indigo keep so much information and for so long, according to Privacy and Access Council of Canada chair Sharon Polsky.
“We have to look at our employers and ask why, why do you keep this information?” She said, noting that local law may not be sufficient to protect Canadian data because many companies store their information on international servers, while cybercrime organizations often operate outside the jurisdiction of the courts.
“We can’t look at legislation that is, at best, 20 years old and was developed before all of these technologies were even considered,” Polsky said.
For now, she says, Canadians can try to protect themselves from identity theft by tracking their personal data and demanding better management from corporate entities such as employers.
“One of the things people may want to do is make a formal access to information request to their former employer and the companies and governments they do business with to see what information is being held about them and with whom it is shared,” she said.
“We should all have a stockpile of the information we’ve provided,” explained Polsky, who noted data points like birthdates, social security numbers, driver’s license numbers and home addresses.
The Indigo website is still partially down
Indigo previously said it did not know the identity of the group behind the attack that stole the information. LockBit has been used in previous cyberattacks, including one targeting the Toronto Hospital for Sick Children.
When Indigo was hit by the cyberattack on February 8, its website went completely down and traditional chain stores were also unable to process credit, debit or gift card transactions. Physical stores returned to business after the following weekend.
The site went back to making some purchases last week, but it still doesn’t offer as many products for sale as it did before the ransomware attack.
Source / The stock exchange in Canada, the beauty of Canada, the news of Canada, the lawyer of Canada, Bitcoin in Canada, the latest events and news in the state of Canada
