Ransomware group behind Indigo hack says it released stolen employee data, but nothing has appeared yet

A deadline for Indigo Books to pay a ransom orrisk the public release of employeepersonal information has come and gone without the stolen data being made public, but a privacy advocate and cybersecurityanalyst both say this doesn't mean there'sany less risk for Canadians affected by the data breach.

On Wednesday night, Canada's largest bookstore chain said it would not agree to payment demandsfroman online group claiming affiliation with ransomware siteLockBit,becauseit could notguarantee the money wouldn't "end up in the hands of terrorists."

The hacker groupindicated it would be posting all the stolen informationpublicly and acountdown timer posted on multiple versionsof theLockBit dark web forum said the datawouldbe released on Thursday at 3:39 p.m. ET.

After the deadline passed on Thursday afternoon, the LockBit forums said the data had beenreleased. However both CBC News and an independent security analyst could not find actual data available to access.CBC reached out to Indigo to confirm if it was aware if the data had been released or not, but did not hear back in time for publication.

Just because the information appears not to have been posted does not mean the data is safe or secure and it definitely doesn't mean the data won't be released in the future, according to Chester Wisniewski, field chief technology officer atinternationalcybersecurity firm Sophos.

"They are criminals, after all. They are not obligated to do anything that they say they're going to do," saidWisniewski, who is based in Vancouver.

He noted that it must be assumed that the employee data is compromised even if it's not released publicly.

Multiple current and former Indigo workers have told CBC News they are worried about what happensif information such as their emails, home addresses, social insurance numbers and bank account detailsare made public. Indigo has previously told employees those are just someexamples of some of the stolen data.

Indigo has offered some current and former employees a credit protection service for two years.

Meghan, who worked at Indigo-owned stores until 2020, fearsthat if her identity is ever compromised due to this stolen data, she couldface consequences forever. CBC has agreed not to reveal her last name due to privacy concerns.

"There's been no kind of assurance at all from Indigo to me or any of my former coworkers saying what their plans are," she saidin an interview Thursday morning.

The company said it "will continue to address any concerns that may arise" in a statement to CBC News on Wednesday.

But Meghan says thetwo-year plan to monitor her credit history isn't enough.

"I can't flag it years later down the line if I want to buy a house. 'Oh, I was maybe [de]fraudedyears ago by a company I haven't worked at for ten years,' " she said.

"It's definitely making me a little bit more scared, I guess, thinking about the future, because this is something that will follow me potentially for the rest of my life."

Companies must 'inventory'information: privacy expert

Part of why Canadians may face identity theft due to cyberattacks is because corporate entities such as Indigo keep too much informationand for too long, according to Privacy and Access Council of Canada president Sharon Polsky.

"We have to look to our employers and askwhy, why are you keeping this information?" she said,noting that domestic law may not be sufficient to protect Canadian data because many companies store their information on international servers,whilecyber-crimeorganizations often operate outside of court jurisdictions.

"We can't look to the legislation that is, at best, 20 years old and was developed before all of these technologies were even contemplated," said Polsky.

For now, shesays Canadians can try toprotect themselves from identity theft by keeping track of their personal data and demanding better managementfrom corporate entities such as employers.

"One of the things people might want to do is put in a formal access to information request to their former employer and to the companies and governments they deal with to find out what information is held about them and who it has been shared with," she said.

"We have to all have an inventory of the information that we've given out," explained Polsky, who referenced data points such as birth dates, social insurance numbers, driver's licence numbers and home addresses.

Indigo website remains partly down

Indigo has previously said it didn't know the identity of the group behind the attack that stole theinformation. LockBit has been usedin previous cyberattacks, including one that targeted Toronto's Hospital for Sick Children.

When Indigo was hit by the cyberattackonFeb. 8, its website went offline entirely and the chain'sbrick-and-mortar stores were also unable toprocess credit, debit or gift cardtransactions.Physical stores were back up after the following weekend.

The website was back to taking some purchases last week but is still not offering as many products for sale as before the ransomware attack.