IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Costa Coffee and Premier Inn hit by data breach

Thieves may have made off with names, email addresses, employment info and more

One of the UK's biggest hospitality chains was hit by a data breach earlier this month, it has been revealed, after a third-party provider of recruitment software suffered a hack on its systems.

Australian SaaS firm PageUp revealed last month that it was "investigating a security incident where unauthorised person(s) accessed our system". The company acts as a supplier of HR software for Whitbread, the parent company of Costa Coffee, Premier Inn, Brewers Fayre, Beefeater and other UK chains.

The company warned that people who have applied for jobs with PageUp's clients could be affected by the breach, along with the people those applicants listed as employment references. Employees of PageUp clients who had access to the software could also be at risk, meaning some of Whitbread's HR staff could have been affected.

A startling breadth of data may have been compromised, according to PageUp, including:

  • Names
  • Genders
  • Dates of birth
  • Nationalities
  • Email addresses
  • Physical addresses
  • Telephone numbers
  • Employment information

PageUp stated, however, that CVs, financial data, performance reviews and contracts were not affected by the breach. In addition, it confirmed that new safeguards have been put in place to prevent such an incident from occurring again, and said that "cyber security experts have confirmed they have not identified any further threats on our systems".

Whitbread told IT Pro that it is a client of PageUp, but declined to state how many of its 50,000 UK employees were affected by the hack. It confirmed that it had notified all affected parties, however.

Although no financial data was taken, cyber security professionals warned that this breach still gave the hackers everything they need to be able to carry out further sophisticated, targeted attacks against the victims.

"Data breaches involving third-party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links," said Webroot's director of threat research David Kennerly. "The fact that information like date of births and even maiden names have been stolen along with email addresses gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft."

"Businesses of all sizes need to prioritise the security of critical and personal information, as you're never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch but also that any third party dealing with sensitive data or accessing your network does so in the right way too."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


Education and government most at risk from email threats

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems

Attackers use CSS to fool anti-phishing systems

11 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022