Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
Exclusive

Indigo ransomware attack exposed some employees’ immigration application information, other sensitive data

VANCOUVER — The ransomware attack on Indigo last month exposed additional personal data for “a small number of employees” that includes information on medical leaves, immigration applications and other sensitive human-resources matters, the company confirmed to The Logic.

Exclusive

Indigo ransomware attack exposed some employees’ immigration application information, other sensitive data

Workplace investigations and medical leaves of ‘a small number of employees’ part of breach, company says

By Aleksandra Sagan
A month after the retailer was hit with a ransomware attack, Indigo has said more employee information was compromised than previously understood. Photo: The Canadian Press/Ryan Remiorz
Mar 8, 2023
A A
A Small A Medium A Large
Share

Gift

Share

VANCOUVER — The ransomware attack on Indigo last month exposed additional personal data for “a small number of employees” that includes information on medical leaves, immigration applications and other sensitive human-resources matters, the company confirmed to The Logic.

“We are writing to you today to provide you with an update regarding your personal information,” reads an email that chief operating officer Gil Dennis sent to a staff member Tuesday. “We are writing to let you know that the following information about you may also have been affected: work visa.”

Talking Points

  • Data exposed in the Feb. 8 ransomware attack on Indigo includes information on the medical leaves, immigration applications and workplace investigations of a small number of workers, the company said
  • Meanwhile, the company’s website, which went offline because of the attack, appears to be accepting online orders for available items

The staffer shared the email with The Logic, which is withholding the person’s identity as they are not authorized to speak on the matter. Indigo has instructed staff to redirect media enquiries to its communications department.

Indigo’s acknowledgement is the latest indication of how deeply hackers breached the book and lifestyle retailer’s data in the Feb. 8 ransomware attack, which exposed some current and former employees’ personal information. 

To date, the company has said that data included names, emails, phone numbers, birth dates, home addresses, social insurance numbers and direct deposit information. It has offered staff two years of credit monitoring and identity protection services. No customer data has been affected, Indigo has said; nor is the information of former staff who left the company before 2015.

Related Articles

Unlocking the potential of data: Privacy, innovation and public trust

By The Logic
A wide shot of a pipeline construction area, with an excavator using its boom to lift a length of pipe.

Cyber attacks target Canada’s energy companies at nearly double the rate of other industries: Documents

By Aleksandra Sagan

Indigo ransomware attack exposed employees’ data

By Aleksandra Sagan

But on Wednesday, the company provided further details to The Logic, saying the hackers also accessed information related to internal human-resources processes, including workplace investigations, immigration applications or medical leaves. Indigo has informed all those who may have had additional information accessed, said Melissa Perri, manager of public relations and influencer marketing, in an email. She did not answer any of The Logic’s questions beyond what additional data was compromised.

The culprits have threatened to expose the data on the dark web as early as March 2 should Indigo fail to pay a ransom amount that the company has not disclosed. It is unclear whether the data has been posted, but Indigo has said it is working with Canadian police services and the FBI.

“This situation is extremely serious,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University. “The kinds of data that Indigo is now informing its employees and former employees may have been exposed is of the most sensitive kinds that one can imagine entrusting to an employer.” While it’s unclear exactly what medical and workplace investigation information the hackers have, releasing it without context, due process or protection could be devastating to the employees affected, he said.

Indigo is not at fault for being the victim of a ransomware attack, he added, but does have a duty to protect this type of information, which employees have a right to expect is kept confidential. 

The retailer should immediately take every step possible to protect the employees whose data was breached from any negative outcomes, and inform them how it was accessed in the first place, Finlay said. Paying for two years of credit monitoring and identity theft services is not enough, he added. 

“We’re now arriving at a situation where there are real damages potentially being incurred,” he said. “Indigo now has to … offer more that are sufficient to these individuals to give them peace of mind and to compensate them, candidly, for what’s happened here.”

The Indigo staffer said they felt frustrated to learn about the additional exposure, and find it difficult to trust Indigo amid the fallout. “I think that everything could have been managed way more transparently and honestly,” the staffer said. “I don’t think they’ve thought about their employees at all.”

In Finlay’s judgment, not paying the ransom can be justified, but he said that decision should be made in tandem with an urgent plan to protect those whose information was made vulnerable.

Indigo’s Perri said in her statement that the company’s “top priority remains the safety and security of our current and former employees affected by the recent ransomware attack” and reiterated the two years’ of protective services on offer.

Gift the full article

In addition to compromising staff data, the attack thwarted Indigo’s ability to make sales. For several days, the company was unable to accept debit, credit and gift cards in stores. It restored digital payments at its locations nearly a week later. 

Its website also went offline, and 10 days after the attack, Indigo launched a browse-only version with a select number of books and lifestyle items. Last week, it was finally able to accept online orders for some books. On Wednesday, its website appeared able to take orders for all available products.

#cyber attack #Indigo #ransomware

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

Photo: The Canadian Press/Ryan Remiorz

Most Popular This Week

Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith
Nakisa CEO Babak Varjavandi in a screencapture from the floor of a tech show. He's wearing a suit jacket and open-collared shirt.
News

Canadian firms are ready to help with digital sovereignty. Their challenge is getting approved

By Laura Osman
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely
An aerial photo of Kearny mine, a mine surrounded by dense forest, with terraced rock walls that surround a deep blue body of water.
News

Canada bets on graphite as allies scramble for critical minerals

By Anita Balakrishnan

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

A shot of a sign bearing the Pfizer logo, with a lowrise office building in the background.
News

So far, foreign-owned firms have dominated Buy Canadian contracts

By Laura Osman

Briefing

Sabia upholding ‘highest standards of integrity’ after double duty with Mastercard Foundation, PMO says

By David Reevely   |   Jul 14, 2026 | 2:19 PM ET

CPP Investments backs German defence startup Helsing’s US$1.8B funding round

By Catherine McIntyre   |   Jul 13, 2026

Ford and Unifor reach tentative deal

By Anita Balakrishnan   |   Jul 13, 2026

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

Commentary: Quebec Ink

Quebec’s era of endless, cheap electricity is coming to an end

By Martin Patriquin   |   Jul 6, 2026
A cityscape featuring two tall buildings; the right one has a large orange "Q" logo and a Quebec flag atop. The sky is clear and blue.
Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith   |   Jul 13, 2026
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely   |   Jul 8, 2026
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Canada bets on graphite as allies scramble for critical minerals

By Anita Balakrishnan   |   Jul 7, 2026
An aerial photo of Kearny mine, a mine surrounded by dense forest, with terraced rock walls that surround a deep blue body of water.
News

Meta to spend $13B on sprawling Alberta data-centre complex

By Meghan Potkins   |   Jul 8, 2026
An aerial-style rendering of a massive data centre on a prairie landscape of farm fields and trees.
News

Alberta wants to be a model for government AI and power Canada-wide adoption

By Murad Hemmadi   |   Jul 10, 2026
A shot of Nate Glubish at a lectern, against a backdrop of exposed brick partly covered by a white film screen.

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account