'What incentive do they have?': Indigo cyberattack puts employee's personal information at risk -- and there's little they can do about it
Don't start a new job without asking the employer questions about your personal information, lawyer advises
Former and current Indigo employees are being contacted about the possibility of having their personal information sold to the dark web, after the company’s website was hacked in a cybersecurity attack. The popular bookseller ultimately refused to pay the ransom that was requested.
The company admits on their website that its network was “illegally accessed by criminals who deployed ransomware software known as “LockBit”.” The breach led to their website and online payment system to go down.
Indigo states that there’s no reason to believe customer data has been compromised, but they do know some employee data was.
Some former workers have come forward to confirm that they’ve been contacted by the company about the possibility of their personal data being sold to the dark web.
Having my personal information sold on the dark web is exactly how I imagined my journey as a former Indigo Books & Music employee concluding, actually
— Domenica Martinello (parody) (@domenicahope) March 2, 2023
Employees and former employees of the retailer are being offered two years of identity theft monitoring.
Lluc Cerda, a Calgary-based employment lawyer at Samfiru Tumarkin LLP, says from a legal standpoint, not much can be done to compensate employees in regards to this cyberattack.
A similar situation happened with credit bureau company Equifax Canada, though it targeted consumers more than it did employees.
A class action lawsuit by customers was launched over the fact that their information was compromised during a hack. It went to the Ontario Court of Appeal, but was ultimately shot down, concluding that the customers who had their information compromised couldn’t sue for damages.
While the difference with the Indigo breach is that it appears employee’s information was compromised, Cerda doesn’t think it would make a difference.
“There are some obligations in certain provinces to protect private information, but this is a nefarious hack,” he tells Yahoo News Canada. “Unless we can show Indigo was somehow involved or complicit in the release of the confidential information, I don’t think a lot can be done going after them for the compromise of the information.”
Cerda says it raises the question about not being able to hold a company liable - what incentive do they have to make sure that kind of information is well protected?
“That kind of challenge is something that the legislature could think a little bit more about because, I wouldn’t say this is without consequence for Indigo but what incentive do they have to protect the sensitive information, or pay the ransom,” he says.
Cyberattack insurance is becoming increasingly more common for companies to opt into, as it requires certain protections that prevent these kinds of situations. For people starting at a new position, Cerda says it might be worthwhile to ask their company what kind of protections they have from cyberattacks.
It’s worth it for every employer, no matter the size, to consider these kinds of insurances. More and more people are being hacked and when it’s so prevalent, it’s almost negligent not to have it to protect the very confidential and important information that your clients and employees give to you as a company.Lluc Cerda, Calgary-based employment lawyer