Costa Coffee Owner Whitbread Suffers Data Breach

Personal data of Whitbread job applicants exposed after cyber attack on recruitment website down under

British multinational hotel, coffee shop and restaurant company Whitbread has suffered a data breach with its online recruitment system.

Whitbread of course controls the Costa Coffee brand in the UK as well as Premier Inns, but the data breach actually took place at a third-party company which manages its online recruitment system.

There is no word on the number of people affected by the breach, but hopefully it will not be as big as the Dixons Carphone breach in June, which compromised 5.9 million payment cards and 1.2 million personal data records.

data breach, security breaches

Recruitment breach

Whitebread on Monday sent out an email which said “there is a possibility” that any data submitted in the course of recruitment “may have been accessed and could potentially (in combination with other information) be used for identity theft”.

The breach took place in early June at Australian online recruitment services organisation PageUp, which manages Whitbread’s online recruitment portal.

Whitbread said that PageUp had advised it that they weren’t aware of any fraudulent activity relating to the data it holds on its systems.

But it is understood that contact details, biographical details and employment details have been affected in the data breach.

Whitbread advised people to change the password they used if it was the same as on other online services.

The British firm has also suspended the use of PageUp as soon as it became aware of the incident and prevented current applicants from uploading their data into the system.

Expert take

Security experts pointed to the risks associated with utilise third-party companies to manage certain corporate functions.

“Data breaches involving third party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links,” said David Kennerley, director of threat research at cybersecurity company Webroot.

“The fact that information like date of births and even maiden names have been stolen along with email addresses – gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft,” he said.

“Businesses of all sizes need to prioritise the security of critical and personal information, as you’re never too small or large to be a target,” said Kennerley. “The key learning lesson here is making sure that not only are your own security processes up to scratch, but also that any third party dealing with sensitive data or accessing your network does so in the right way too.”

Another expert also pointed to the growing issue of third-party breaches.

“Third-party data breaches continue to be a growing problem, and have been the source of a number of high-profile data leaks in recent years,” said James Romer, chief security architect at SecureAuth + Core Security.

“In this instance, by attacking a business that handles job applications for major firms, attackers have been able to access extremely confidential information, including addresses, maiden names and dates of birth, all of which could be sold on by criminals or used for identity theft,” said Romer.

“We’re used to seeing customers as the victims of personal detail exposure, but in this case existing and prospective employees are the prime targets and will need to practice continuous monitoring of their finances and vigilance to help mitigate the potential effects,” said Romer.

“Businesses must ensure that every step of their supply chain is secure and scrutinise the security practices of third party suppliers,” he concluded.

Do you know all about security? Try our quiz!