Costa Coffee and Premier Inn hit by data breach
Thieves may have made off with names, email addresses, employment info and more
One of the UK's biggest hospitality chains was hit by a data breach earlier this month, it has been revealed, after a third-party provider of recruitment software suffered a hack on its systems.
Australian SaaS firm PageUp revealed last month that it was "investigating a security incident where unauthorised person(s) accessed our system". The company acts as a supplier of HR software for Whitbread, the parent company of Costa Coffee, Premier Inn, Brewers Fayre, Beefeater and other UK chains.
The company warned that people who have applied for jobs with PageUp's clients could be affected by the breach, along with the people those applicants listed as employment references. Employees of PageUp clients who had access to the software could also be at risk, meaning some of Whitbread's HR staff could have been affected.
A startling breadth of data may have been compromised, according to PageUp, including:
- Dates of birth
- Email addresses
- Physical addresses
- Telephone numbers
- Employment information
PageUp stated, however, that CVs, financial data, performance reviews and contracts were not affected by the breach. In addition, it confirmed that new safeguards have been put in place to prevent such an incident from occurring again, and said that "cyber security experts have confirmed they have not identified any further threats on our systems".
Whitbread told IT Pro that it is a client of PageUp, but declined to state how many of its 50,000 UK employees were affected by the hack. It confirmed that it had notified all affected parties, however.
Although no financial data was taken, cyber security professionals warned that this breach still gave the hackers everything they need to be able to carry out further sophisticated, targeted attacks against the victims.
"Data breaches involving third-party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links," said Webroot's director of threat research David Kennerly. "The fact that information like date of births and even maiden names have been stolen along with email addresses gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft."
"Businesses of all sizes need to prioritise the security of critical and personal information, as you're never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch but also that any third party dealing with sensitive data or accessing your network does so in the right way too."
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now