An Indigo cyberattack puts employees’ personal information at risk — and there’s little they can do about it
Former and current Indigo employees are being contacted about the possibility of selling their personal information to the dark web after the company’s website was hacked in a cybersecurity attack. The popular bookseller eventually refused to pay the ransom demanded.
The company admits on its website that its network was “illegally accessed by criminals using ransomware called ‘LockBit'”. The breach caused their website and online payment system to go down.
Indigo states that they have no reason to believe customer data has been compromised, but they do know that some employee data has been compromised.
Some former employees have come forward to confirm they have been contacted by the company about the possibility of their personal information being sold to the dark web.
Employees and ex-employees of the retailer are offered two-year identity theft monitoring.
Lluc Cerda, a Calgary-based employment attorney at Samfiru Tumarkin LLP, says that from a legal standpoint, there isn’t much that can be done to compensate employees in relation to this cyberattack.
A similar situation occurred at credit reporting agency Equifax Canada, although it was aimed more at consumers than employees.
A class action lawsuit was launched by customers over the fact that their information was compromised during a hack. It went to the Ontario Court of Appeals but was eventually shot down, concluding that the customers whose information was compromised could not sue for damages.
While the difference from the Indigo incident is that employee data appears to have been compromised, Cerda doesn’t think it would make a difference.
“Certain provinces have some obligations to protect private information, but it’s a shameful hack,” he says Yahoo News Canada. “Unless we can prove that Indigo was somehow involved or complicit in the release of the confidential information, I don’t think there is much that can be done to prosecute them for compromising the information.”
According to Cerda, if a company can’t be held liable – what incentive do they have to make sure this type of information is well protected?
“That kind of challenge could do with some more thought by lawmakers because I wouldn’t say it’s without consequences for Indigo, but what incentive do they have to protect the sensitive information or pay the ransom,” he says.
Cyber attack insurance is becoming more common for businesses as it requires specific protections to prevent such situations. For people starting a new role, Cerda says it might be worth asking their company what kind of protection they have against cyberattacks.
It is worthwhile for every employer, regardless of size, to think about such insurance. More and more people are being hacked and when it’s so widespread it’s almost negligent not to protect the very sensitive and important information your customers and employees give you as a company.Lluc Cerda, employment attorney in Calgary