(Toronto) A union representing 200 employees at bookstore chain Indigo Books & Music is asking the retailer to release more information about the extent of the recent data breach it suffered and to offer additional support to staff affected by the cyberattack.
United Food and Commercial Workers Local 1006A says it is ‘increasingly alarmed’ by new information that has emerged about a February 8 cyberattack on the largest chain of bookstores in Canada.
Current and former Indigo workers learned this week that their medical and immigration data was part of the breach, which the Toronto-based retailer said also included their name, email address, phone number, date of birth, home address, social insurance number, and direct deposit information, such as bank account number.
Last month, Indigo offered its employees two years of credit monitoring as the company grappled with an attack it blamed on ransomware known as LockBit.
Indigo warned current and former workers that their information could end up on the underground web, a part of the internet used for illicit activities. The company said it found no evidence of customer information breaches.
But employees still have several unanswered questions. In particular, is the company aware of any unauthorized use of potentially affected personal information and what measures is it taking to better protect the data?
The union representing workers at four stores in the Greater Toronto Area demanded answers to those questions in a letter it says it sent to Indigo. The missive also asked the company to support workers who may face identity theft or other harm as a result of the attack.
The union called the credit monitoring offer ‘commendable’, but argued that workers are entitled to more information about what other steps the company will take to protect them if their data falls into the wrong hands. authorized and that they are used for malicious purposes.
“The current circumstances demand nothing less from Indigo than a genuine commitment to take all reasonable steps to remedy the effects of the employee information breach,” the union said.
“We are confident that Indigo will do the right thing in the circumstances and put the best interests of its employees first. »
In response, Indigo said it takes the privacy and safety of current and former employees seriously and is working to ensure they receive up-to-date information about the attack.
“We continue to work to balance the need for timely updates with the need for accurate updates, and continue to work to respond to questions and concerns as soon as we can,” the company said in a statement. .
It added that it was working with independent experts to strengthen its cybersecurity practices and improve data security measures.
The hack took Indigo’s website and payment systems abruptly offline.
The bookstore and home goods chain managed to quickly restore its payment systems and soon after launched a temporary, navigable-only website.