Indigo says employees’ personal banking information may have been breached in hack that brought down website

Indigo employees’ personal information, including bank account and social insurance numbers may have been breached during a cyberattack that brought down the company’s website and its online payment system, the company told workers in an email Thursday night. “Through our investigation, we recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16 and Feb. 8, 2023,” Andrea Limbardi, Indigo’s president wrote to employees.The information at risk includes employees’ email address, phone number, birth date, home address, postal code, social insurance number and banking information such as employee direct deposit information, including the name of the financial institution, bank account number and branch number. Indigo experienced a cybersecurity Feb. 8, that impacted its website and electronic payment system.“We acted quickly to stop this event and prevent further unauthorized access,” Limbardi wrote. “We worked with external experts to investigate and resolve the situation as quickly as possible.” Currently, all stores are open but the full functioning website remains down — a temporary website has been created acting like an online store but it can’t accept online transactions.Employees only hearing about their data potentially being breached three weeks after the incident is problematic, said retail analyst and author Bruce Winder. “This new development has eroded trust not just with customers but with staff too,” said Winder. “I would say that all stakeholders including investors, customers, employees, suppliers, and regulators are puzzled as to why this issue has not been resolved after three weeks.”To restore trust, he added, Indigo must be fully transparent and explain the situation in detail to the public.“What else has happened that the company does not know about or has withheld from key stakeholders?” Winder said. More to comeClarrie Feinstein is a Toronto-based business reporter for the Star. Reach Clarrie via email: clarriefeinstein@torstar.ca

Indigo says employees’ personal banking information may have been breached in hack that brought down website

Indigo employees’ personal information, including bank account and social insurance numbers may have been breached during a cyberattack that brought down the company’s website and its online payment system, the company told workers in an email Thursday night.

“Through our investigation, we recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16 and Feb. 8, 2023,” Andrea Limbardi, Indigo’s president wrote to employees.

The information at risk includes employees’ email address, phone number, birth date, home address, postal code, social insurance number and banking information such as employee direct deposit information, including the name of the financial institution, bank account number and branch number.

Indigo experienced a cybersecurity Feb. 8, that impacted its website and electronic payment system.

“We acted quickly to stop this event and prevent further unauthorized access,” Limbardi wrote. “We worked with external experts to investigate and resolve the situation as quickly as possible.”

Currently, all stores are open but the full functioning website remains down — a temporary website has been created acting like an online store but it can’t accept online transactions.

Employees only hearing about their data potentially being breached three weeks after the incident is problematic, said retail analyst and author Bruce Winder.

“This new development has eroded trust not just with customers but with staff too,” said Winder. “I would say that all stakeholders including investors, customers, employees, suppliers, and regulators are puzzled as to why this issue has not been resolved after three weeks.”

To restore trust, he added, Indigo must be fully transparent and explain the situation in detail to the public.

“What else has happened that the company does not know about or has withheld from key stakeholders?” Winder said.

More to come

Clarrie Feinstein is a Toronto-based business reporter for the Star. Reach Clarrie via email: clarriefeinstein@torstar.ca