A Breach at an Aussie Software Company Exposes Personal Details of Costa Coffee Employees
Based in England, Whitbread PLC is a true behemoth of the hospitality industry. It owns, among other brands, Costa Coffee, an international chain of coffee shops that has branches in over thirty countries. A lot of people work at these cafés, and an unknown number of them recently had some of their personal information accessed.
The breach didn't really set the news websites ablaze, and not a whole lot of people seemed overly concerned. Today, we'll try to shine a bit of light on the incident, and, perhaps more importantly, we'll see what we can learn from it.
Third parties and data breaches
The hackers didn't break into Whitbread's systems. They compromised PageUp – a provider of HR software solutions based in Australia. Whitbread is just one of PageUp's clients.
The Australian software company noticed unusual activity on its systems back in May and promptly launched an investigation. It was later revealed that an unauthorized party had accessed personal information belonging to current and former employees as well as job applicants of one of their clients. The information included email addresses, physical addresses, dates of birth, telephone numbers, employment data, etc. PageUp hasn't officially revealed that Whitbread is the affected client, but, asked by the media, representatives of the British hospitality giant admitted that this is the case.
We've seen this type of incident way too many times in the past, and we'll likely continue to see it in the future. Even big companies like Whitbread sometimes find it economically unfeasible to build platforms that handle their users' (or, in this case, employees') data, and they rely on the third-party solutions. When the third-party solutions get attacked, business suffers, enterprises get egg on their faces, and users end up having their data stolen.
Third parties and users' awareness
There's another problem with third party data handling solutions. It's the question of whether users know that their information is sent to a company they may or may not have ever heard of. It's not clear whether this is the case in this particular incident, but it must be said that with many third-party breaches, the users don't know who takes care of their data until it's too late.
You could argue that they aren't presented with much of a choice, and that, if they want to use a particular service, they need to provide their data to whoever is responsible for keeping it safe. That's not what this is about, however. This is all about transparency.
Password storage is important
Although they're not willing to name the affected client, PageUp's people do a fine job of saying what was stolen, and what remained safe. They note, for example, that critical data such as resumes, financial information, performance reports, etc. have remained untouched. They also put a very important piece of information in their report. It becomes apparent that affected employees had access to the system via an email and a password. PageUp said that the passwords were stored with bcrypt, an extremely powerful hashing and salting algorithm which the hackers are unlikely to crack. The Aussie company did point out that some 2007 logs might carry records of login attempts with the wrong password, but it's fair to say that these are unlikely to affect a large number of people right now, eleven years later.
If the current hashing algorithm was weaker, the story would have been quite a bit scarier, and many people would have had to change their passwords. People affected by the breach still need to be on the lookout for phishing emails and other scams, though.
Transparency is still not as good as it should be
The announcements from both PageUp and Whitbread left a lot to be desired. Indeed, safe for the job applicants, there are no people outside the two companies that were affected by the breach. Nevertheless, neither PageUp nor Whitbread had the courage to publicly announce how many employees had their personal information exposed. We're pretty sure that a data breach is an embarrassing experience for all companies, both big and small. Nevertheless, for many people, especially the ones who know how difficult securing an online asset is, the way the incident is handled could be the difference between acknowledging that bad things happen and moving on and cutting all business ties and looking for another provider.