Indigo says ransomware attack breached data of current and former employees

Indigo said the breach on Feb. 8 left no indication that customers' personal information, such as credit card numbers, had been accessed, but that ``some employee data was."

A ransomware attack compromised the data of current and former employees at Canada’s biggest bookstore chain, Indigo Books & Music Inc. says.

In a statement on its website, Indigo said the breach on Feb. 8 left no indication that customers’ personal information, such as credit card numbers, had been accessed, but that “some employee data was.”

The Toronto-based retailer said it has contracted consumer reporting agency TransUnion of Canada to offer two years of credit monitoring and identity theft protection to workers at no cost.

Customers remain unable to make purchases online except for “select books,” after Indigo halted website and app operations in what it referred to last week as a “cyberattack.”

When the incident began more than two weeks ago, Indigo was only able to process purchases made in store with cash, but some of its services, including over-the-counter credit and debit payments as well as exchanges and returns, have since been restored.

The company engaged third-party experts to investigate and resolve the matter, but did not publicly acknowledge the incident as a ransomware attack affecting employees until this week.

“Both current and former employees are being notified that their information may have been impacted,” the statement reads.