Third-party vendor breach compromised data of Whitbread employees
Threats / Third-party vendor breach compromised personal data of Whitbread employees
4 July 2018
Whitbread, the parent company of Costa Coffee, Premier Inn, and Beefeater, may have suffered a major breach of employee records after a third-party recruitment software provider announced that it suffered unauthorised access to its systems.
PageUp, the Australian recruitment software provider, announced last month that it suffered a security incident where unauthorised persons accessed its systems and possibly made off with personal details of job applicants as well as applicants listed as employment references.
Third party vendor hacked again!
Personal details of such people that may have been compromised by the unauthorised access include names, genders, dates of birth, email addresses, physical addresses, telephone numbers, and employment information (including employment status, company, and title).
“Non-personal data affected includes publicly available job information, system communications and approval requests related to postings and system information related to service level integrations. Client’s agency contact’s login details, including name, email address, physical address, and telephone number are among those potentially affected,” the SaaS provider said.
The firm added that the breach could have compromised non-personal information including publicly available job information, system communications and approval requests related to postings and system information related to service level integrations as well as client’s agency contact’s login details, including name, email address, physical address, and telephone number.
“While investigations continue, on the balance of probabilities, we believe certain personal data relating to our clients, placement agencies, applicants, references and our employees has been accessed. We continue to run forensic analysis, but based on our current information we believe data may include names, street addresses, email addresses, and telephone numbers.
“Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting and therefore is considered to be of very low risk to individuals. No employment contracts, applicant resumes, Australian tax file numbers, credit card information or bank account information were affected,” it said.
Whitbread has not released any statement about the breach suffered by PageUp but told IT Pro that it has informed affected parties about the breach without mentioning how many employees were actually affected.
Commenting on the breach suffered by PageUp and its effect on major clients such as Whitbread, David Kennerley, director of threat research at Webroot, told TEISS that data breaches involving third-party companies really highlight the need for larger businesses to look at the entirety of their supply chain for security weak-links.
“The fact that information like date of births and even maiden names have been stolen along with email addresses – gives cybercriminals all that they need to successfully monetise the hack, from phishing attacks to identity theft.
“Businesses of all sizes need to prioritise the security of critical and personal information, as you’re never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch, but also that any third party dealing with sensitive data or accessing your network does so in the right way too,” he added.
Proactively ensuring vendor compliance
Back in May, a report from security firm UpGuard revealed how third-party vendors pose the greatest challenge to businesses across Europe who are resetting their security practices and protocols to comply with the stringent requirements of GDOR.
According to UpGuard, if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to third-party vendors lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
The firm has also said that enterprises and their vendors must share equal responsibility to ensure the security of sensitive data against exposure to the wider internet. Such responsibility will ensure that third-party vendors will no longer be the weakest point in an organisation’s cyber defence system.
It added that companies should take several steps such as carrying out independent external assessment, creating vendor questionnaires, and carrying out data breach audits to proactively reduce the risks that third parties pose in their data handling capacity.
While independent external assessments will ensure that vendors follow best practices against common threats and breach vectors, questionnaires will give an enterprise full visibility into how vendors store and process data, and data breach audits will reveal existing vulnerabilities before the same are exploited by malicious actors.