Blog

Canadian retailer Indigo Books & Music Inc. recently made headlines after it was hit by a ransomware attack that led to the exposure of sensitive information about the bookstore chain’s current and former employees. As a result, the company’s e-commerce operations were taken down, causing significant disruptions to both employees and customers. In the wake of the attack, Indigo made the decision not to pay the ransom demanded by the attackers, citing concerns about the potential consequences of funding criminal activity. This incident raises important questions about employee privacy and cybersecurity, and offers several important lessons for businesses to consider.

Protecting Employee Data Should Be a Top Priority

Indigo’s cyberattack underscores the importance of protecting employee data from cybercriminals. In this case, personal information such as home addresses, postal codes, social insurance numbers, birth dates, direct deposit information, bank account numbers, names, e-mail addresses, and phone numbers were all exposed. This type of information is highly valuable to cybercriminals, who can use it for identity theft, fraud, and other illicit activities. Businesses must take proactive steps to safeguard employee data, such as using strong passwords, encrypting data, and implementing robust security protocols.

Cybersecurity Threats Can Come from Anywhere

It is believed that Indigo’s cyberattack was carried out by a criminal organization. While it’s important to be aware of threats from hackers, it’s also important to remember that cyber threats can come from anywhere, including within the organization. Employee negligence, such as weak passwords, phishing scams, or the use of personal devices for work purposes, can also leave businesses vulnerable to cyber attacks.

Cybersecurity Is a Shared Responsibility

Indigo’s response to the cyberattack highlights the importance of collaboration and communication between businesses and law enforcement agencies. By working closely with Canadian law enforcement and the Federal Bureau of Investigation in the United States, Indigo was able to investigate the attack and mitigate its impact. Businesses must take a proactive approach to cybersecurity, including partnering with law enforcement agencies and sharing information about potential threats.

Privacy Laws Must Be Taken Seriously

In her internal letter to staff, Indigo president Andrea Limbardi cited the importance of privacy laws in making the decision not to pay the ransom. The privacy commissioners do not believe that paying a ransom protects those whose data has been stolen, as there is no way to guarantee the deletion/protection of the data once the ransom is paid. Both U.S. and Canadian law enforcement discourage organizations from paying a ransom as it rewards criminal activity and encourages others to engage in this activity. Businesses must take their legal obligations to protect employee privacy seriously, and work closely with legal experts to ensure they are in compliance with relevant laws and regulations.

Indigo’s decision not to pay the ransom and its subsequent actions in response to the cyberattack may also have implications for employment law. Employees whose personal information has been compromised may have legal claims against the company for failing to adequately protect their sensitive data. Depending on the jurisdiction, employers may be required to take certain measures to safeguard employee data, and failing to do so could result in legal liability. Indigo may also face legal action from former employees whose data was breached, as their personal information was still stored on the company’s systems. These legal implications highlight the importance of companies taking proactive steps to protect their employees’ personal information and complying with applicable privacy laws.

In conclusion, the cyberattack on Indigo Books & Music Inc. and the subsequent decision not to pay the ransom highlights the importance of privacy and employment law in today’s digital age. Employers have a duty to protect the personal information of their employees and customers from cyberattacks and data breaches. This duty includes implementing appropriate security measures, providing adequate training to employees, and being transparent and proactive in the event of a breach.