The personal details of Costa Coffee and Premier Inn job applicants have been stolen after a data breach of owner Whitbread’s online recruitment system, run by Australia’s PageUp, the company confirmed today.
Bedfordshire-headquartered multinational Whitbread was hit after PageUp was hacked last month, in an incident that exposed the details of current and prospective employees
Details exposed include name, email address, physical address, telephone number and employment information. A Whitbread spokesman told Computer Business Review: “We’re not disclosing the number potentially affected.”
Asked if the company still had a relationship with PageUp, they confirmed as much and said they had been given assurance the issue was resolved. PageUp still does not precisely know precisely how many people were affected.
PageUp said in a published FAQ: “Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems. Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk.”
Current password data is protected using the robust password hashing algorithm, bcrypt, which includes salts, and therefore is considered to be of very low risk to individuals, the company added.
“We Repeat We Are Very Sorry”
David Kennerley, director of threat research at cybersecurity company Webroot, said in an emailed statement: “Data breaches involving third party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links. The fact that information like date of births and even maiden names have been stolen along with email addresses – gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft.”
Whitbread, which has some 50,000 UK staff across its brands, wrote to those potentially affected, saying.
The email says, as reported by the Irish Times: “At Whitbread we take protecting your data very seriously and we are very sorry that this has happened. We choose our partner organisations very carefully and take every possible step to ensure your data is always kept secure. We value all our job applicants and we want to repeat that we are very sorry that this has happened.”
PageUp has hired Melbourne-based security specialist Hivint to shore up its security, while the Australian Cyber Security Centre, Computer Emergency Response Team, Joint Cyber Security Centre, Australian Federal Police, IDCARE, and digital forensic business Klein & Co. were all also brought in to investigate the breach.
It is just the latest in a flurry of third-party vulnerabilities hitting major brands, from Ticketmaster to Fortnum & Mason and Monzo.