WH Smith staff data hit by cyber-attack

PA Media WH Smith storePA Media

High Street retailer WH Smith has been hit by a cyber-attack, with hackers accessing some of its workers' data.

Data that may have been breached includes names, addresses, National Insurance numbers and dates of birth of the firm's current and former UK staff.

However, its website, customer accounts and customer databases are not affected, WH Smith said.

The company said it had launched an investigation and had told the relevant authorities of the incident.

"WH Smith takes the issue of cyber-security extremely seriously and investigations into the incident are ongoing," it said.

"We are notifying all affected colleagues and have put measures in place to support them."

It added: "There has been no impact on the trading activities of the group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident."

WH Smith did not say how many of its current and former employees had been affected by the breach, which took place earlier this week. The company employs about 10,000 people in the UK across its High Street stores and outlets at railway stations and airports.

The Information Commissioner's Office, a watchdog which investigates data breaches, said it was aware of the incident and was investigating.

Lauren Wills-Dixon, an expert in data privacy law at law firm Gordons, said retailers were at a higher risk of cyber-attack because of the large amount of data they hold on their customers and employees.

"There is also enhanced reputational risk and potential for disruption because retailers are so reliant on public trust and confidence, which cyber incidents threaten to undermine. This makes the retail sector an attractive target."

She added that attacks on employees' data could be more damaging than others because the type of data companies hold about their staff means a leak can lead to a greater risk of identity theft for the affected individuals.

This year has already seen two cyber-attacks on high-profile UK companies.

In January, Royal Mail was hit by a Russian linked ransomware attack that caused severe disruption to overseas deliveries for several weeks.

That same month sportswear chain JD Sports said that it had been targeted by a cyber-attack which could have put data relating to 10 million customers at risk.

In April last year, online greeting card company Funky Pigeon, which is owned by WH Smith, was hit by a cyber-attack that left it unable to process orders for several days.