Indigo Books LockBit ransomware

On 8 February 2023, Indigo Books & Music — Canada's largest book retailer with ~200 stores — was hit by LockBit ransomware. The company's e-commerce website went offline and in-store payment processing was disrupted across the chain. The incident became a high-profile Canadian retail breach during a year in which Indigo was already navigating significant operational pressures.

What happened

LockBit operators deployed ransomware against Indigo's payment-processing and e-commerce infrastructure on 8 February 2023. The blast radius was confined to:

• In-store payment systems: debit and credit card processing offline. Stores reverted to cash-only for the first 24–48 hours.
• Indigo's e-commerce website (indigo.ca and chapters.indigo.ca): completely offline, with customers unable to browse, order, or check order status.
• Internal corporate systems: email and HR systems also affected, with employees working around the disruption.

The attack vector has not been publicly detailed. Indigo's communications described the incident as a "cybersecurity incident" before the LockBit attribution became public via the operation's leak site posting.

Restoration and refusal

Indigo's restoration timeline was:

• 48 hours: in-store debit and credit acceptance restored at most locations.
• 3 weeks: e-commerce website restored on 3 March 2023.
• 6 weeks: full internal IT systems restored.

On 23 February 2023, LockBit publicly listed Indigo on its leak site and demanded $5 million in bitcoin. On 2 March, Indigo CEO Heather Reisman publicly stated:

"We have made the difficult decision not to make a ransom payment. While we recognise that this may result in the public release of stolen information, we will not contribute to the funding of criminal organisations such as LockBit."

The refusal was significant in Canadian context — Canada had only recently seen Indigo's neighbour Sobeys-affiliated Empire Co. hit by ransomware (November 2022) and Investors Group / IG Wealth Management (December 2022). The Indigo refusal aligned Canada's posture with the Australian (Medibank, Latitude) and U.K. (Royal Mail) public-refusal model.

LockBit's response

On 15 March 2023, LockBit published the exfiltrated data on its leak site. Per Indigo's subsequent disclosures and external review:

• Current and former Indigo employee personal information was in the dataset — including names, dates of birth, addresses, social insurance numbers, and direct deposit banking information.
• Customer payment card data was not in scope, per Indigo's investigation.
• Approximately 5,000 employees (current and former) were affected.

Indigo provided two years of credit monitoring to affected employees and notified the Office of the Privacy Commissioner of Canada per federal breach-notification requirements.

Impact

• 3 weeks of e-commerce downtime during a low-but-not-trivial retail period (post-holiday, pre-spring).
• ~5,000 employees with personal information exposed.
• Direct cost to Indigo: ~$40M including remediation, business interruption, and employee support.
• No customer payment data exposed, per Indigo's investigation.

Why it matters

Indigo is a canonical Canadian retail-ransomware case that aligns with the broader Western-democratic posture on public ransom refusal. It established:

• That Canadian large retailers are operationally targetable by major ransomware operations and that the e-commerce blast radius can be significant even when card data is not exposed.
• That public refusal to pay by a CEO is reputationally beneficial in the Canadian context. The Reisman statement was widely cited approvingly in Canadian press and helped establish a public-refusal default for subsequent Canadian incidents.
• That employee personal information is now a routine target of double-extortion ransomware — even when the operation does not capture customer data, the employee dataset (SIN/SSN, direct deposit info) is functionally valuable to the attackers and damaging to the victim organisation.
• That LockBit's affiliate program was actively running through 2023 with no apparent slowdown despite the Khoroshev unmasking that followed in May 2024. Indigo was an early-2023 reference point for the operational pressure that ultimately motivated Operation Cronos.