Personal data breached at WH Smith

Staff names, addresses and NI numbers have been exposed

WH Smith has locations in airports, railway stations and high streets nationwide

Image:
WH Smith has locations in airports, railway stations and high streets nationwide

A cyberattack has exposed personal data belonging to current and former staff at high street retailer WH Smith.

The company hasn't shared any details about the incident yet, such as the type of attack or suspected identity of the hackers.

It has, however, stressed that its trading business and customer data - which is stored on a separate system - have not been affected.

Staff names, dates of birth, addresses and National Insurance numbers belonging to staff have all been compromised, though.

WH Smith employs about 12,500 people at more than 1,700 locations across the UK.

The company has already started notifying those affected and put measures in place to support them.

It further added, "Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services, and implemented our incident response plans, which included notifying the relevant authorities."

Those "relevant authorities" include the Information Commissioner's Office, which says it is aware of the incident and is investigation.

This is the second strike against a WH Smith brand in the last 12 months; its subsidiary Funky Pigeon had to suspend orders in August last year after a successful cyberattack.

Ian McShane, VP of strategy at Arctic Wolf, commented:

"Attackers are often looking for opportunities to exploit personal data for financial gain, and this attack on WH Smith is the latest example. While emails and passwords can be changed, personal information such as names and birthdays can't - hackers having this information exposes workers to the risk of phishing, identity theft, and other social engineering risks for a long time to come.

"WH Smith employees should take steps to ensure they change their passwords and have enabled two-factor authentication where available for their online accounts."

This latest attack joins a slew of others targeting British businesses this year.

In mid-January a ransomware attack at Royal Mail - for which the fallout is still ongoing - prevented the company from being able to handle any overseas deliveries.

Later that same month, 10 million customers were affected by an attack against sporting goods retailer JD Sports.