Breach Notification , Geo Focus: The United Kingdom , Geo-Specific

British Retailer WH Smith Discloses Breach of Employee Data

Website Unaffected and No Customer Accounts or Databases Exposed, Company Reports
British Retailer WH Smith Discloses Breach of Employee Data
London Victoria station (Image: WH Smith)

Airport concessionaire and main street retailer WH Smith is the latest big British business in recent months to announce it was hit by hackers and suffered a data breach.

See Also: OnDemand | Cybersecurity for Cloud: Challenges and Strategies for Securing Your Enterprise Cloud

WH Smith said Thursday it had been the victim of an attack that resulted in the exposure of data pertaining to current and former employees. The Swindon, England-based company, which is listed on the London Stock Exchange, said no information about customers appeared to have been exposed and that its website had not been disrupted by the attack.

"We immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities," the company told investors in a Thursday "notice of cybersecurity incident."

"There has been no impact on the trading activities of the group," it added.

WH Smith has yet to detail when the breach began, how or when it was detected and the number of individuals affected. It also has yet to clarify whether the data exposure affected only U.K.-based employees or those in other geographies as well.

WH Smith operates more than 1,100 stores across the U.K., comprising both retail outlets and travel stores in airports, hospitals, railway stations and roadside service areas. The company also has 100 stores in 13 countries across Europe, 40 stores in India, 40 stores across six Middle Eastern countries, 60 stores in Australia, more than 50 stores across five Asian countries, and nearly 300 stores in North America - which it operates under the Marshall Retail Group and InMotion brand names.

Britain's privacy watchdog, the Information Commissioner's Office, which enforces the U.K.'s General Data Protection Regulation, says it's been notified of the breach. "WH Smith has made us aware of an incident and we are making enquiries," the ICO says.

British Data Breaches Continue

The cybersecurity alert from WH Smith makes it the latest big-name British brand to announce that it suffered a data breach.

Other recent victims include JD Sports, the British-based sports fashion retailer with outlets around the globe, which in late January warned that hackers had stolen data pertaining to "approximately 10 million unique customers," tied to orders placed between November 2018 and October 2020.

Glasgow-based automobile retail giant Arnold Clark in late December acknowledged a ransomware attack. It disclosed in January that attackers hadn't just crypto-locked its systems, but had also stolen customer data, which they subsequently leaked when Arnold Clark declined to pay a ransom.

On Jan. 11, the international arm of Royal Mail, the private business that runs Britain's national post system, reported that multiple systems had been hit by ransomware, leaving it unable to export letters or parcels. Forty-two days later, on Feb. 22, Royal Mail finally restored all services or had full workarounds in place.

March 3, 2023 11:12 UTC: This story has been updated with comment from the ICO.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.