Cyber Incident Victim: Peter Mark

On or around June 1, 2023, Peter Mark confirmed it had been the target of a cyber attack. The company’s initial investigation discovered evidence that an unauthorised third party had illegally gained access to certain information stored on its internal office IT system. The attack was specifically directed at this internal corporate network, which is separate from the systems operating its customer-facing salon business. Following the detection of the security incident, immediate steps were taken by the company to intercept and manage the breach. To aid in the investigation and help resolve the incident, Peter Mark engaged highly specialised external cybersecurity services.

The cyber attack did not impact the operational capabilities of the Peter Mark salon chain. All salons remained fully open for business, and customers could continue to book appointments as usual. The customer payment system, which processes card transactions, was also confirmed to be unaffected by the breach. This system is operated by a third-party provider, insulating it from the compromise that occurred on the internal office IT infrastructure. This separation ensured that customer financial data related to payments was not part of the incident.

The precise nature and full extent of the data breach remained under investigation at the time of the statement. The company was actively working to determine what exact data on its systems had been accessed or exfiltrated by the threat actor. However, initial results from the ongoing investigation indicated that some Human Resources data had been compromised. This data pertained to staff information, though the specific details of what was contained within the HR records were not publicly disclosed. It was not yet clear what other categories of data, beyond HR information, may have been part of the breach, and the company stated it was continuing its investigation into this matter.

A key finding from the initial investigation was that there was no evidence any personal data had been leaked onto the dark web. Despite this initial assessment, the company committed to continuing its monitoring of dark web channels for any signs that the compromised data might appear or be offered for sale. This monitoring was part of the broader response to understand the potential downstream effects of the data access.

In response to the incident, Peter Mark reported the attack to multiple relevant authorities across Ireland and Northern Ireland. This included making formal reports to the Data Protection Commission in Ireland and the UK’s Information Commissioner’s Office. The company also engaged with law enforcement, reporting the incident to An Garda Síochána. Furthermore, the National Cyber Security Centre was notified and involved. The company’s public statement also referenced guidance published by the National Cyber Security Centre, An Garda Síochána, and the Banking and Payments Federation of Ireland, directing the public to these resources to educate themselves on protecting against cybercrime and fraud.

As part of its customer and public communication, Peter Mark issued guidance in accordance with recommended cybersecurity practices. The company advised individuals to never disclose any personal data, including passwords, usernames, or PIN numbers, in response to an unsolicited call or communication. This warning extended to communications that might appear to be legitimate and covered vectors such as SMS, email, or phone calls. The public was advised not to click on any links or open any attachments contained within such unsolicited communications. The statement specifically reinforced that Peter Mark would never ask for card details when a customer is making an appointment, either by telephone or via the online booking system, a point reiterated to help customers identify fraudulent attempts that might leverage the news of the breach.

Internally, Peter Mark was in the process of liaising with its staff to inform them of the incident directly. This internal communication was a priority given the confirmation that HR data had been compromised. The company was working closely with all the relevant authorities and its team of external specialists who were assisting with the investigation and response efforts. The commitment was made to provide further updates to the relevant authorities and to any affected individuals in line with the company's data protection obligations.

The financial scale of the organization involved was noted in reporting, with the Peter Mark group having generated revenues of more than €33 million in 2021 according to accounts filed earlier in the year. The attack served as a reminder of the threats faced by businesses of all sizes, though the company's prompt engagement with specialists and authorities reflected a structured response to the incident. The compromise was isolated to the internal office IT system, and the core business operations of the salon network and its third-party payment processing continued without interruption throughout the incident response period. The primary known impact was the confirmed compromise of internal human resources data belonging to staff members, with the potential for other data categories to have been involved still under investigation at the time of the public statements.