Indigo won’t pay up

If you’ve been waiting to order a copy of Prince Harry’s memoir or various home goods of questionable usefulness from Indigo, you’re gonna have to keep waiting.

What happened: Indigo, Canada’s largest bookseller, has chosen not to pay a ransom to the group carrying out a month-long ransomware cyberattack, even as they threaten to leak breached sensitive information about current and former employees onto the dark web.

  • The attack was carried out using LockBit, a ransomware created by a hacker group of the same name. Since LockBit has ties to Russia, Indigo wants to avoid any money ending up in the hands of terrorists or organizations sanctioned by Canada.

The attack has forced Indigo to take down its website and halt online ordering while also affecting its shipping services. The store has since launched a temporary browse-only site.

Zoom out: LockBit is no stranger to messing with Canadian companies. The group was responsible for nearly a quarter of all ransomware attacks in Canada last year, including an attack on SickKids Hospital (which it later apologized for, as it broke their code of conduct).

Why it matters: Indigo has committed to fighting a long fight by not paying the ransom. Like, War and Peace long. In the UK, it took the Royal Mail six weeks to resume regular services after a LockBit attack, and even then, it may have ponied up a US$40 million ransom. 

Bottom line: If this can happen to Indigo, it can happen to many companies. In 2021, almost one-fifth of Canadian businesses were impacted by cybersecurity incidents. As criminals get more sophisticated, personal data, vital services, and infrastructure are all at risk.