Whitbread is the latest big-name company to have been affected by a breach at a popular third-party recruitment platform provider, it has emerged.
The UK hotel and coffee shop operator has admitted that some current and prospective employees’ data may have been compromised, thanks to an incident last month at Australian supplier PageUp.
An email sent by Whitbread to those potentially affected claimed that data handed to the company during the recruitment process “may have been accessed and could potentially (in combination with other information) be used for identity theft,” according to the Irish Times.
Whitbread isn’t disclosing how many people may have been affected, although it has roughly 50,000 staff in the UK, and owns brands including Costa Coffee and Premier Inn.
According to PageUp, the details stolen in a cyber-attack revealed last month included name, email address, physical address, telephone number, gender, date of birth and employment details, more than enough to craft convincing follow-on phishing emails.
Passwords were hashed using bcrypt and salted by the Aussie provider, but Whitebread is still advising individuals to change them if they shared the same credential across other sites.
The firm has also suspended its use of the third-party recruitment platform for now.
David Kennerley, director of threat research at cybersecurity company Webroot, argued the case highlights the need for companies to vet their supply chains more rigorously.
“The fact that information like date of births and even maiden names have been stolen along with email addresses gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft,” he added.
“Businesses of all sizes need to prioritize the security of critical and personal information, as you’re never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch, but also that any third party dealing with sensitive data or accessing your network does so in the right way too.”
That’s especially true in the new GDPR era, where both data processors and suppliers have an equal responsibility to keep customer/employee personal data secure.