Cyber Incident Victim: Costa Coffee
Date:
Jul 2018
Location:
United Kingdom
Summary
A data breach occurred in an online recruitment system managed by a third-party provider for Whitbread, impacting several of its brands including Premier Inn and Costa Coffee's UK operations. The incident potentially exposed applicant information such as contact details, biographical data, and employment history, which could be exploited for identity theft. While no fraudulent activity was confirmed at the time of disclosure, the company suspended the affected system provider, prevented further data uploads, and advised applicants to change reused passwords as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 2, 2018, Whitbread PLC disclosed a data breach impacting its online recruitment system managed by third-party provider PageUp. The incident affected multiple Whitbread brands, including Premier Inn hotels and Costa Coffee outlets operating under Whitbread’s UK control. The compromised system stored personal information submitted by job applicants and current employees during recruitment processes. Whitbread notified affected individuals via email on July 2, stating there was a possibility that unauthorized parties accessed data including contact details, biographical information, and employment history. The company warned this information could potentially be combined with other data for identity theft purposes, though it emphasized PageUp had not detected any fraudulent activity stemming from the breach at the time of disclosure.
Whitbread responded by immediately suspending its use of PageUp’s recruitment platform upon discovering the incident and blocked current applicants from uploading additional data to the system. The breach did not impact Costa Coffee operations in the Republic of Ireland, which are independently franchised to MBCC Foods, but affected approximately 20 Costa Coffee outlets in Northern Ireland under Whitbread’s management. Whitbread issued a public apology, advising affected individuals to change passwords if they reused credentials across multiple services. The company confirmed its Premier Inn operations in the Republic of Ireland—limited to a single location near Dublin Airport—were unaffected. No operational disruptions to Whitbread’s hospitality or retail services were reported, with the incident confined to recruitment data handled by PageUp’s compromised system.