View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Costa Coffee Applicant Details Hacked – Owner Whitbread “Very Sorry”

Data breach of Aussie HR firm blamed

By CBR Staff Writer

The personal details of Costa Coffee and Premier Inn job applicants have been stolen after a data breach of owner Whitbread’s online recruitment system, run by Australia’s PageUp, the company confirmed today.

Bedfordshire-headquartered multinational Whitbread was hit after PageUp was hacked last month, in an incident that exposed the details of current and prospective employees

Details exposed include name, email address, physical address, telephone number and employment information. A Whitbread spokesman told Computer Business Review: “We’re not disclosing the number potentially affected.”

Asked if the company still had a relationship with PageUp, they confirmed as much and said they had been given assurance the issue was resolved. PageUp still does not precisely know precisely how many people were affected.

PageUp said in a published FAQ: “Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems. Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk.”

Current password data is protected using the robust password hashing algorithm, bcrypt, which includes salts, and therefore is considered to be of very low risk to individuals, the company added.

“We Repeat We Are Very Sorry”

David Kennerley, director of threat research at cybersecurity company Webroot, said in an emailed statement: “Data breaches involving third party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links. The fact that information like date of births and even maiden names have been stolen along with email addresses – gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Whitbread, which has some 50,000 UK staff across its brands, wrote to those potentially affected, saying.

The email says, as reported by the Irish Times: “At Whitbread we take protecting your data very seriously and we are very sorry that this has happened. We choose our partner organisations very carefully and take every possible step to ensure your data is always kept secure. We value all our job applicants and we want to repeat that we are very sorry that this has happened.”

PageUp has hired Melbourne-based security specialist Hivint to shore up its security, while the Australian Cyber Security Centre, Computer Emergency Response Team, Joint Cyber Security Centre, Australian Federal Police, IDCARE, and digital forensic business Klein & Co. were all also brought in to investigate the breach.

It is just the latest in a flurry of third-party vulnerabilities hitting major brands, from Ticketmaster to Fortnum & Mason and Monzo.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.