WH Smith has revealed that it has been hit by a cyber attack which has impacted current and former staff members.
The retailer made the public notification via an alert issued to the London Stock Exchange on 2 March, advising investors of a cyber security incident.
It said the attack has resulted in illegal access to some company data, which includes data on current and former employees.
An investigation has been launched into the attack with support from third-party cyber security experts. Relevant authorities have been informed per the company's incident response plan.
“WH Smith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing,” the company said in its statement. “We are notifying all affected colleagues and have put measures in place to support them.”
“There has been no impact on the trading activities of the group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident,” it said.
IT Pro contacted WH Smith for additional information but it declined to comment beyond its official statement.
“Although they acknowledge that employee data has been compromised, they are assuring customers that their details and financial information were stored separately and will not have been affected," said Will Richmond-Coggan, a data breach litigation specialist at national law firm Freeths.
"Keeping categories of information separate and secure from one another is vital in ensuring that a compromise of one system cannot affect the remainder of the business; They also say that they have already been in touch with employees and offered them support.
“Prompt efforts to communicate with those affected, and the offer of measures targeted at any risk of harm, can make a significant difference to the risk of regulatory enforcement, or subsequent claims," he added.
In April 2022, greeting cards business Funky Pigeon, a WH Smith subsidiary, was hit by a cyber attack.
It took its systems offline and was unable to fulfil any orders, and wrote to customers from the previous 12 months to inform them of the incident.
Analysis of WH Smith's cyber attack disclosure
The wording of organisations' data breach and cyber attack notifications is usually deliberately vague.
Some companies opt for total transparency whereas others, like Royal Mail International most recently, go for a strategically opaque approach.
WH Smith's disclosure falls somewhere in the middle and is about as vague as most cyber incident notifications in the UK.
Royal Mail's ransomware attack was originally called a "cyber incident" by the company from the outset, wording that remained long after it was reported to be ransomware.
Others, such as the recent attack on Minneapolis Public Schools, go further. In this case, the organisation referred to its attack as an 'encryption event".
The fact that WH Smith's trading operations remain functional is a promising sign for its chances of recovery and could indicate that the attack was not ransomware in nature.
Ransomware attacks are usually carried out using a double extortion model and aim to disrupt the target as much as possible to encourage payment.
The hiring of outside cyber security experts is a common occurrence in cyber attack scenarios and the practice is often said to be a necessity when constructing an organisation's incident response playbook.
The relevant authorities cited likely referred to are the Information Commissioner's Office (ICO) and could also include the National Cyber Security Centre (NCSC) and National Crime Agency (NCA), among others.
As is usually the case, more details about the incident are likely to trickle out over time.
This is a developing story.
