Cyber Incident Victim: Whitbread

In July 2018, Whitbread PLC experienced a data breach affecting its online recruitment system managed by third-party provider PageUp. The incident impacted recruitment data for several Whitbread brands, including Premier Inn and UK-based Costa Coffee outlets. PageUp stored applicant information submitted to Whitbread, potentially exposing personal details of prospective and current employees. On July 2, 2018, Whitbread notified affected individuals via email, stating there was a possibility that submitted recruitment data "may have been accessed" and could be exploited for identity theft when combined with other information. The compromised data categories included contact details, biographical information, and employment history. Whitbread emphasized that PageUp had not detected any fraudulent activity stemming from the breach at the time of disclosure.

Whitbread suspended its use of PageUp's services immediately upon discovering the incident and blocked current applicants from uploading additional data to the system. The breach primarily affected UK operations, with Whitbread confirming its sole Irish presence as a Premier Inn at Dublin Airport and Northern Irish operations encompassing seven Premier Inns and approximately 20 Costa Coffee outlets. The company advised impacted individuals to change passwords if they reused credentials across multiple online services. In communications, Whitbread apologized for the incident while underscoring their careful partner selection processes and commitment to data security. No evidence suggested operational disruptions to Whitbread's hospitality or retail services beyond the recruitment system suspension.