'Inappropriate': Indigo refuses to pay ransom in cyberattack possibly linked to Russians

indigo-vw0302

Indigo Books & Music Inc. says it would be “inappropriate” to pay ransom to unlock the recent cyberattack on its network and that there is currently no indication of any risk to its customers.

In an email statement March 2, the company said it is prioritizing the safety and security of current and former employees who could be impacted by malicious actors.

“Given we cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists, Indigo has determined it would be inappropriate to pay the ransom,” it said.

Indigo said its network was illegally accessed on Feb. 8 using ransomware software known as LockBit, which it said some criminal groups affiliated with Russian organized crime use. It said, however, that the identity of the attackers is still not known.

The bookstore chain said it has been informed that those responsible for the attack may make some or all of the data they have stolen available using the dark web as early as Thursday.

The company said it is working closely with Canadian police and the United States Federal Bureau of Investigation in response to the attack.

The company added that it will provide two years of free identity theft monitoring to those affected and will continue to address any concerns that may arise.

Its physical stores remain open and a temporary website has been made available for those shopping online.

The Toronto-based retailer first reported the “technical issues” Feb. 8 on social media, saying its website and in-store electronic payment systems were unavailable. It said stores were also not able to accept gift cards or conduct returns at the time.

“We experienced a cybersecurity incident earlier today and are working with third-party experts to investigate and resolve the situation,” its online post said.

On Feb. 17, Indigo said its investigation found no indication that customer data was compromised by the incident. It had reopened its website that same day — nine days after the cyber attack — but said the “new temporary online home” was browsable-only, meaning, it was only available for online window-shopping.

Canadian organizations and other retailers have increasingly experienced cyberattacks in recent months.

On Dec. 18, a paediatric hospital in Toronto became the target of a cybersecurity incident that affected several of its network systems, prompting it to call a “Code Grey” — system failure.

• Indigo website still offline one week after cybersecurity incident

• Anatomy of a cyberattack: How Russian hackers took Saint John hostage

• Safety Net: How labour shortages could lead to more cyberattacks

LockBit, the same software that was used to attack Indigo’s network, with involved in the attack on the Hospital for Sick Children (SickKids).

SickKids had only lifted its “Code Grey” on Jan. 5 after restoring 80 per cent of priority systems.

Sobeys’ parent Empire Co. Ltd. in December said an apparent cyberattack that snarled operations in the fall of 2022 would cost the grocer $25 million.

Empire, the second-largest grocery chain in Canada, oversees a network of about 1,600 stores that includes the Sobeys, IGA, Safeway, Foodland, Farm Boy and FreshCo banners.

The company had described the incident as a “cybersecurity event” that knocked out pharmacy operations at the chain for four days in November and affected self-checkout technology, gift cards and the Scene+ loyalty program for a week.

• Email: dpaglinawan@postmedia.com | Twitter: denisepglnwn