Some current and former Indigo employees have received some really bad news; their personal data has been stolen through a cyberattack last month. According a report by CBC news, current and past employees have been trying to navigate this sudden threat which may hang over their heads for the rest of their lives. Indigo currently operates more than 160 stores across Canada and has over 8,000 employees.
According to CP24, one former Indigo employee, who asked to keep her name private for fear of becoming a further target, shared that she has yet hear whether she was affected by the breach. She went on to say that the notion of her personal information being on the dark web is “frightening”, and that she is concerned about the unfolding situation and how large the exposure could be. “It’s definitely making me a little bit more scared, I guess, thinking about the future, because this is something that will follow me potentially for the rest of my life.”
Indigo has confirmed in a statement that on February 8th 2023 they were indeed breached, and the company decided to not pay the ransom. According to the Financial Post the company said it would be “inappropriate” to do so.
It seems the hackers got everything they need for potential identify theft; addresses, phone numbers, date of births, and social security numbers were all taken. Indigo says its digital payment system and website were attacked in early February using a ransomware program known as “LockBit.”
Ransomware attacks have been on a steady incline.
The increasing number and size of ransomware attacks are becoming a big issue for thousands of organizations all around the world. From municipalities, to private businesses, healthcare and governments, these rouge cyber-pirates are able to take advantage of security vulnerabilities and encrypt data, essentially holding it hostage unless the target pays to have it returned. According to blackberry.com the average ransomware payment is approximately $1 million per incident and victims of LockBit pay an average ransom of $85,000. This indicates that LockBit traditionally preyed on smaller fish, small-to-medium sized businesses, who are less likely to have a large budget for cyber security. However, it seems that this time the hackers are swimming in a bigger pond, and going after whales, such as Indigo.
According to Heimdal, a cybersecurity softwear company, “Every day, over 200,000 new ransomware strains are detected, meaning that every minute brings us 140 new ransomware strains capable of evading detection and inflicting irreparable damage”. For many police departments it iis challenging to keep up with the sophistication of the ever evolving sinister softwear and hackers.
LockBit ransomware has been implicated in more and more cyberattacks lately than any other ransomware. LockBit’s targets are many, including SickKids Hospital in Toronto as well as the municipalities of Westmount, Que and St. Marys, Ont. In November 2022, the FBI arrested Russian- Canadian dual citizen Mikhail Vasiliev, who is alleged to have been involved with the LockBit campaign.
What can people do to keep safe from cyberattacks?
According to Version.com, a digital security and technology hub, there are some good tips to help keep one safe from identify thief including;
Making Your Information Hard to Obtain
- Use a password manager or a different password for each account with a mix of characters, symbols and numbers, do NOT use your birth date
- Keep passwords in a safe place only you can access and change them periodically- especially if a company or vendor you use has experienced a breach
- Use two-factor authentication
Limiting the Amount of Personal Data Out There on the Web and Social Media
- Remove personal information such as your hometown, birthday, phone number or even your pet’s name from social media- as these are often the answers for security questions for financial institutions and on-line banking
- Periodically go through your Friend and Contact lists to remove anyone you don’t know
- Change your settings from public to private
However, there is only so much the individual can do when their personal information is stored for years on an their employers’ servers.
How long should an employer hang onto their staff’s personal information?
Part of what makes people vulnerable to identity theft via cyberattacks is because corporations, such as Indigo, are keeping too much personal data for far too long.
As reported by CBC news, the Privacy and Access Council of Canada president Sharon Polsky said, “We have to look to our employers and ask why, why are you keeping this information?” Polsky also noted that domestic laws may not be enough to protect data because many companies store their information on international servers, and cyber-crime organizations often operate beyond court jurisdictions. She went on to share, “We can’t look to the legislation that is, at best, 20 years old and was developed before all of these technologies were even contemplated.”
Indigo shared on February 17th that its investigation had not found any evidence that customers’ personal information, such as credit card numbers, had been accessed, only staff data. The company is providing two years of identity theft monitoring to current and former employees victimized by the breach.
An avid book reader and proud library card holder, Angela is new to the world of e-Readers. She has a background in education, emergency response, fitness, loves to be in nature, traveling and exploring. With an honours science degree in anthropology, Angela also studied writing after graduation. She has contributed work to The London Free Press, The Gazette, The Londoner, Best Version Media, Lifeliner, and Citymedia.ca.
