A union representing 200 employees of the bookstore chain Indigo is calling on the retailer to disclose more information about a recent data breach and offer additional support to staff affected by the incident.
In a statement issued Saturday, the United Food and Commercial Workers International Union Local 1006A expressed growing concern over new details which have emerged about the cyber attack that hit Indigo last February and demanded more clarity about its full scope.
Indigo previously disclosed that the attack had compromised names, email addresses, phone numbers, birth dates, home addresses, social insurance numbers, and direct deposit information such as bank account numbers. However, current and former employees were recently informed that their medical and immigration were also part of the breach.
The union's letter to Indigo stated that the company's communication regarding the attack left several questions unanswered, including whether there had been any unauthorized use of the potentially affected personal information. It also called on Indigo to explain what measures it is taking to better safeguard data and provide additional support for workers who may face identity theft or other damages due to the breach.
Indigo had offered staff two years of credit monitoring when it first revealed the breach. The union called this effort “commendable,” but said workers deserved more information about what other steps the company would take to protect them should their data fall into unauthorized hands.
“The current circumstances demand nothing less from Indigo than a genuine commitment that it will take all reasonable steps to remedy any and all effects on employees arising out of the information breach,” the union said, as cited by The Canadian Press.
A statement from Indigo said it takes the privacy and security of current and former staff seriously and is working to ensure they receive up-to-date information about the attack, adding that it has been working with third-party experts to strengthen its cybersecurity practices and enhance data security measures.
Indigo’s website and payment systems were taken offline by a cyber attack last February 8. The company had blamed the attack on the LockBit ransomware software and said it had not uncovered any evidence of customer information being breached.