Whitbread data breach at Costa and Premier InnWhitbread has admitted that its recruitment system has suffered a data breach. The breach affects the personal data of anyone who applied for a job with Costa Coffee or Premier Inn.

The source of the breach is PageUp, the Australian HR SaaS provider. PageUp runs the online recruitment system for all of Whitbread’s businesses.

At the beginning of June, PageUp admitted to a data breach. Since then, it has issued regular updates about what it is doing. In one of those update two weeks ago, it said that it was notifying customers who were affected. Whitbread is the first PageUp customer to admit that the breach has affected its worldwide operations.

Who has been affected?

The breach affects job applicants that have used the Whitbread online recruitment system. This includes specifically those applying for work at Costa Coffee and Premier Inn. How far back the breach goes and how many people are affected is not known. A Whitbread spokesman told Computer Business Review: “We’re not disclosing the number potentially affected.”

Under GDPR, Whitbread is required to make its own disclosure to the UK Information Commissioners Office. It is also required to inform anyone who might have been affected by the breach. That means that it knows the scope of the problem. Why it has chosen not to disclose the size of the breach is unclear. However, those details will be released once the UK ICO completes its investigation.

PageUp has said that the data breach included:

  • ­Contact details including name, email address, physical address, and telephone number
  • Biographical details including gender, date of birth, and middle name (if applicable), nationality, and whether the applicant was a local resident at the time of the application
  • Employment details at the time of the application, including employment status, company and title. If the application was submitted for a reference check, then the following additional details may have been provided by the reference: technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference

PageUp has also said that the details of references were also part of the lost data. For references who were included with an applicant’s information, contact information (including name, email address, physical address, and telephone number) and employment information at the time the reference was provided (including company, title, and the length of the relationship with the applicant) are affected.

The risk of third-party suppliers

This breach highlights the risk of third-party suppliers who have access to sensitive data. Hackers are always going to identify the weak link in any supply chain. It is far easier for them to attack a small organisation than to take on experienced cyber security teams.

It will be interesting to see if any details of how PageUp customers evaluated its security stance are released. PageUp has its own security page where it publishes how it secures data. It is likely that many of its customers read that page and assumed that the company was highly secure. That is something we now know is not the case.

According to James Romer, Chief Security Architect at SecureAuth + Core Security: “Third-party data breaches continue to be a growing problem, and have been the source of a number of high-profile data leaks in recent years. In this instance, by attacking a business that handles job applications for major firms, attackers have been able to access extremely confidential information, including addresses, maiden names and dates of birth, all of which could be sold on by criminals or used for identity theft.

“Businesses must ensure that every step of their supply chain is secure and scrutinise the security practices of third party suppliers. They have a responsibility and duty of care to both customers and employees to keep their data safe and ensure that personal identifiable information is protected, through layering appropriate security before the authentication phase. Most data breaches leverage misused user credentials, so if businesses focus on getting the access and authentication part right for users, that’s half the battle.”

What does this mean?

Anyone who has applied for a job at Costa Coffee or Premier Inn needs to be careful. No financial data was stolen in this attack but the data that was taken is more than enough to craft a spear phishing attack. It is not just job applicants who need to be concerned. As the details of references was also stolen, these individuals are also at potential risk.

This breach occurred just before GDPR penalties kicked in. That will be of some relief to PageUp, Whitbread and other affected companies. However, the regulators may well want to see the security and risk assessment that Whitbread made when it engaged PageUp. Part of getting GDPR ready should have meant companies reviewing third-party data access risk. While such a task is resource intensive and can be costly, as today’s survey from ICSA shows, it is necessary.

Perhaps this latest breach will lead the ICO to remind companies of third-party risk.


Please enter your comment!
Please enter your name here