Dark Illusion - stock.adobe.com

WH Smith staff data accessed in cyber attack

The retailer has said that customer data has not been affected by the incident as it is held in different systems, and that investigations into the attack are ongoing

High street retailer WH Smith has been the victim of a cyber attack in which the perpetrators accessed sensitive company data, including personal information of former and current employees.

The company confirmed that the attackers have been unable to access any customer data from either its website or backend databases, as that information is held on separate systems “unaffected by this incident”.

WH Smith added that it had launched an investigation and has informed the relevant authorities of the incident.

“WH Smith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing,” said a spokesperson. “We are notifying all affected colleagues and have put measures in place to support them. There has been no impact on the trading activities of the group.”

The personal staff data that attackers accessed includes names, addresses, National Insurance numbers and dates of birth. It is currently unclear who the perpetrators of the attack are.

Computer Weekly contacted WH Smith about the nature of the attack and whether there is any indication of who did it, but WH Smith did not disclose any further information beyond its statement.

In April 2022, WH Smith-owned Funky Pigeon fell victim to a cyber attack that forced it to stop taking orders for an entire week, although there was no indication that payment, account password or other customer data were at risk in that incident either.

Martin Mackay, chief revenue officer at networking cyber security firm Versa Networks, said while these attacks did not affect customers directly, the latest incident is no less serious.

“Stolen employee data usually ends up being sold on the dark web and can be used to commit further crimes such as fraud. It is an awful position for both the business and employees to be in – not knowing who has access to their personal data, and ultimately, what they could be using it for,” he said, noting it was essential for security teams to gain complete visibility over all endpoints and devices connected to their network.

“There should also be extra security controls such as network segmentation, in place that helps to secure the most sensitive data stored in networks.”

He further noted that retailers continue to be a popular target to threat actors due to the amount of personal data they hold and the widespread impact attacks on these organistions can have.

Jason Gerrard, director of international systems engineering at Commvault, added that it is essential to have the correct tools in place to identify threats early.

“An early detection system, such as cyber deception, will put organisations one step ahead of the attacker. Decoys are deployed to throw the attacker off course and lure them to fake assets, rather than the real ones,” he said.

“Organisations are alerted as soon as the attacker enters the decoy IT environment so security teams can take immediate actions and isolate the asset. With response time significantly reduced, cyber criminals are far less likely to get into any real systems.”

Other retailers and consumer-facing organisations recently affected by cyber attacks include JD Sports, which saw up to 10 million customers’ data accessed in January 2023, and Royal Mail, which was affected by a suspected LockBit ransomware attack in early January 2023 that left its international export service paralysed for weeks.

Read more about cyber attacks on retailers

Read more on Network security strategy

Data Center
Data Management