Costa Coffee and Premier Inn hit by data breach

Thieves may have made off with names, email addresses, employment info and more

One of the UK's biggest hospitality chains was hit by a data breach earlier this month, it has been revealed, after a third-party provider of recruitment software suffered a hack on its systems.

Australian SaaS firm PageUp revealed last month that it was "investigating a security incident where unauthorised person(s) accessed our system". The company acts as a supplier of HR software for Whitbread, the parent company of Costa Coffee, Premier Inn, Brewers Fayre, Beefeater and other UK chains.

The company warned that people who have applied for jobs with PageUp's clients could be affected by the breach, along with the people those applicants listed as employment references. Employees of PageUp clients who had access to the software could also be at risk, meaning some of Whitbread's HR staff could have been affected.

A startling breadth of data may have been compromised, according to PageUp, including:

  • Names
  • Genders
  • Dates of birth
  • Nationalities
  • Email addresses
  • Physical addresses
  • Telephone numbers
  • Employment information

PageUp stated, however, that CVs, financial data, performance reviews and contracts were not affected by the breach. In addition, it confirmed that new safeguards have been put in place to prevent such an incident from occurring again, and said that "cyber security experts have confirmed they have not identified any further threats on our systems".

Whitbread told IT Pro that it is a client of PageUp, but declined to state how many of its 50,000 UK employees were affected by the hack. It confirmed that it had notified all affected parties, however.

Although no financial data was taken, cyber security professionals warned that this breach still gave the hackers everything they need to be able to carry out further sophisticated, targeted attacks against the victims.

"Data breaches involving third-party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links," said Webroot's director of threat research David Kennerly. "The fact that information like date of births and even maiden names have been stolen along with email addresses gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft."

"Businesses of all sizes need to prioritise the security of critical and personal information, as you're never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch but also that any third party dealing with sensitive data or accessing your network does so in the right way too."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020
Sophos warns customers of potential data leak
Security

Sophos warns customers of potential data leak

26 Nov 2020
Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Security

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

26 Nov 2020
Egregor ransomware could take up where Maze left off
Security

Egregor ransomware could take up where Maze left off

26 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020