WH Smith says staff data breached by cyberattack

2 Mar 2023

Image: © William/Stock.adobe.com

The UK retailer is investigating the incident and said the accessed data includes information on current and former employees.

Book and stationary retailer WH Smith said some of its data has been “illegally accessed” due to a cyberattack.

The company said some of the breached data includes information on current and former employees. WH Smith said it has notified all affected individuals and has “put measures in place to support them”.

SiliconRepublic.com understands that the compromised data includes employee names, addresses, dates of birth and national insurance numbers.

WH Smith said it has launched an investigation into the incident and has engaged “specialist support services”. The UK-based retailer has also notified relevant authorities as part of its incident response plan.

“WH Smith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing,” the company said in a statement. “Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.”

Besides employee data, it is currently unclear if any other company information was accessed from the breach or how long the threat actor had access.

The CEO of risk management platform CybSafe, Oz Alashe MBE, said the breach is another example of “high-profile British businesses falling victim to cybercrime”.

In January, sports and fashion retailer JD Sports revealed that the details of 10m customers were potentially accessed from a cyberattack.

Earlier that month, the UK postal service Royal Mail became temporarily unable to send items overseas after being disrupted by a “cyber incident”. Two cabinet ministers had their Twitter accounts hacked the week before this attack.

This followed a serious IT incident that hit The Guardian last December, which the paper later confirmed was a ransomware attack.

“Considering the data accessed, WH Smith workers will be an important line of defence in preventing further breaches,” Alashe said. “They will need to be aware of the ways cyber criminals can access systems to get a hold of sensitive information, including their own personal data.”

Martin Mackay, CRO at cybersecurity company Versa Networks, warned that stolen employee data usually ends up “sold on the dark web”, which can then be used to commit further crimes such as fraud.

“It is an awful position for both the business and employees to be in – not knowing who has access to their personal data, and ultimately, what they could be using it for,” Mackay said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic