Union 'increasingly alarmed' about Indigo cyberattack, demands further disclosure

A union representing 200 employees of Indigo Books & Music Inc. is calling on the retailer to disclose more information about the scope of its recent data breach and offer additional support to staff affected.

United Food and Commercial Workers International Union Local 1006Asays it is "increasingly alarmed" by new information that has come to light about a Feb. 8 cyberattack on Canada's biggest bookstore.

Current and former Indigo workers learned this week that their medical and immigration data were part of the breach,which the Toronto-based retailer previously said also included their names, email addresses, phone numbers, birth dates, home addresses, social insurance numbers and direct deposit information such as bank account numbers.

Indigo blamed the attack on a ransomware software known as LockBit and warned current and past workers that their information may end up on the dark web, an underground portion of the internet used for illicit activity. It said it had not uncovered any evidence of customer information being breached.

But a letter the union sent to Indigo this week said several other key concerns had still not been addressed.

Those include whether the company is aware of any unauthorized use of personal info and what measures it is undertaking to better safeguard data.

"The company's communication leaves several questions unanswered, including most importantly, whether the company is aware of any unauthorized use of the potentially affected personal information," it read.

Questions about safeguards, support

The union representing workers at four stores in the Greater Toronto Area also asked Indigo to explain what measures it is undertaking to better safeguard data and provide additional support for workers who may face identity theft or other damages because of the attack.

Indigo offered staff two years of credit monitoring last month when it first revealed the breach.

The union called the credit monitoring offer "commendable," but said workers deserve more information about what other steps the company will take to protect them should their data fall into unauthorized hands and be used for nefarious purposes.

"The current circumstances demand nothing less from Indigo than a genuine commitment that it will take all reasonable steps to remedy any, and all effects on employees arising out of the information breach," the union said.

"We trust that Indigo will do the right thing in the circumstances and put the best interest of its employees first."

Indigo trying to 'strike a balance'

In response, Indigo said it takes the privacy and security of current and former staff seriously and is working to ensure they receive up-to-date information about the attack.

"We continue to work to strike a balance between the necessity for timely updates and the necessity for accurate updates, and continue to work to address questions and concerns as soon as we are able," the company said in a written statement.

It added that it has been working with third-party experts to strengthen its cybersecurity practices and enhance data security measures.

The hack resulted in Indigo's website and payment systems being abruptly booted offline.

The bookstore and home goods chain managed to quickly restore its payment systems and soon after launched a temporary, browsable-only website.

Indigo eventually allowed customers to purchase select books through the site and has since been gradually uploading more inventory.