VANCOUVER — The ransomware attack on Indigo last month exposed additional personal data for “a small number of employees” that includes information on medical leaves, immigration applications and other sensitive human-resources matters, the company confirmed to The Logic.

“We are writing to you today to provide you with an update regarding your personal information,” reads an email that chief operating officer Gil Dennis sent to a staff member Tuesday. “We are writing to let you know that the following information about you may also have been affected: work visa.”

The staffer shared the email with The Logic, which is withholding the person’s identity as they are not authorized to speak on the matter. Indigo has instructed staff to redirect media enquiries to its communications department.

Indigo’s acknowledgement is the latest indication of how deeply hackers breached the book and lifestyle retailer’s data in the Feb. 8 ransomware attack, which exposed some current and former employees’ personal information. 

To date, the company has said that data included names, emails, phone numbers, birth dates, home addresses, social insurance numbers and direct deposit information. It has offered staff two years of credit monitoring and identity protection services. No customer data has been affected, Indigo has said; nor is the information of former staff who left the company before 2015.

But on Wednesday, the company provided further details to The Logic, saying the hackers also accessed information related to internal human-resources processes, including workplace investigations, immigration applications or medical leaves. Indigo has informed all those who may have had additional information accessed, said Melissa Perri, manager of public relations and influencer marketing, in an email. She did not answer any of The Logic’s questions beyond what additional data was compromised.

The culprits have threatened to expose the data on the dark web as early as March 2 should Indigo fail to pay a ransom amount that the company has not disclosed. It is unclear whether the data has been posted, but Indigo has said it is working with Canadian police services and the FBI.

“This situation is extremely serious,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University. “The kinds of data that Indigo is now informing its employees and former employees may have been exposed is of the most sensitive kinds that one can imagine entrusting to an employer.” While it’s unclear exactly what medical and workplace investigation information the hackers have, releasing it without context, due process or protection could be devastating to the employees affected, he said.

Indigo is not at fault for being the victim of a ransomware attack, he added, but does have a duty to protect this type of information, which employees have a right to expect is kept confidential. 

The retailer should immediately take every step possible to protect the employees whose data was breached from any negative outcomes, and inform them how it was accessed in the first place, Finlay said. Paying for two years of credit monitoring and identity theft services is not enough, he added. 

“We’re now arriving at a situation where there are real damages potentially being incurred,” he said. “Indigo now has to … offer more that are sufficient to these individuals to give them peace of mind and to compensate them, candidly, for what’s happened here.”

The Indigo staffer said they felt frustrated to learn about the additional exposure, and find it difficult to trust Indigo amid the fallout. “I think that everything could have been managed way more transparently and honestly,” the staffer said. “I don’t think they’ve thought about their employees at all.”

In Finlay’s judgment, not paying the ransom can be justified, but he said that decision should be made in tandem with an urgent plan to protect those whose information was made vulnerable.

Indigo’s Perri said in her statement that the company’s “top priority remains the safety and security of our current and former employees affected by the recent ransomware attack” and reiterated the two years’ of protective services on offer.

In addition to compromising staff data, the attack thwarted Indigo’s ability to make sales. For several days, the company was unable to accept debit, credit and gift cards in stores. It restored digital payments at its locations nearly a week later. 

Its website also went offline, and 10 days after the attack, Indigo launched a browse-only version with a select number of books and lifestyle items. Last week, it was finally able to accept online orders for some books. On Wednesday, its website appeared able to take orders for all available products.