WH Smith Hit by Cyber-Attack Targeting Employee Data
UK-based retailer WH Smith has confirmed a cyber-attack that compromised personal data belonging to current and former employees. The breach, detected earlier this week, exposed sensitive information, including names, addresses, National Insurance numbers, and dates of birth. The company, which employs around 10,000 people across its High Street stores and transport hubs, stated that its trading operations, customer accounts, and databases remain unaffected, as these systems are separate from those targeted.
The Information Commissioner’s Office (ICO) has been notified and is investigating the incident. WH Smith has begun notifying affected staff and implementing support measures. While the exact number of impacted individuals remains undisclosed, the breach highlights the growing vulnerability of retailers, which hold vast amounts of employee and customer data. Legal experts note that such attacks pose heightened risks, including identity theft and reputational damage, due to the sensitive nature of the exposed information.
This incident follows a 2023 cyber-attack on WH Smith’s subsidiary, Funky Pigeon, which disrupted online orders for several days. The retail sector remains a prime target for cybercriminals, with recent high-profile breaches affecting companies like JD Sports and Royal Mail. WH Smith has emphasized its commitment to cybersecurity as investigations continue.
Source: https://www.bbc.com/news/business-64823923
WHSmith cybersecurity rating report: https://www.rankiteo.com/company/whsmith
"id": "WHS1780791918",
"linkid": "whsmith",
"type": "Breach",
"date": "3/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Retail',
'location': 'UK',
'name': 'WH Smith',
'size': '10,000 employees',
'type': 'Retailer'}],
'data_breach': {'personally_identifiable_information': 'Names, addresses, '
'National Insurance '
'numbers, dates of '
'birth',
'sensitivity_of_data': 'High (National Insurance numbers, '
'dates of birth, addresses, names)',
'type_of_data_compromised': 'Personal data'},
'description': 'UK-based retailer WH Smith has confirmed a cyber-attack that '
'compromised personal data belonging to current and former '
'employees. The breach exposed sensitive information, '
'including names, addresses, National Insurance numbers, and '
'dates of birth. The company stated that its trading '
'operations, customer accounts, and databases remain '
'unaffected, as these systems are separate from those '
'targeted.',
'impact': {'brand_reputation_impact': 'Reputational damage',
'data_compromised': 'Personal data of current and former '
'employees, including names, addresses, '
'National Insurance numbers, and dates of '
'birth',
'identity_theft_risk': 'Heightened risk of identity theft',
'operational_impact': 'Trading operations, customer accounts, and '
'databases remained unaffected',
'systems_affected': 'Employee data systems'},
'investigation_status': 'Ongoing',
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'regulatory_notifications': 'Information '
'Commissioner’s Office '
'(ICO) notified'},
'response': {'communication_strategy': 'Notifying affected staff and '
'implementing support measures'},
'title': 'WH Smith Cyber-Attack Targeting Employee Data',
'type': 'Data Breach'}