WH Smith faces prospect of fine after hackers steal staff data
WH SMITH is facing the prospect of millions of pounds in fines after its workers’ National Insurance numbers were stolen in a cyber attack.
The company, which employs about 10,000 people across Britain, said yesterday it had been targeted by hackers for the second time within 12 months.
The unidentified attackers stole information including current and former employees’ names, their addresses, their dates of birth and their National Insurance details.
It is thought that staff bank details were not accessed, however. Customer information was also unaffected, the company said.
The company did not give a figure for how many staff may have been affected, but confirmed that its overseas operations were not affected.
Cyber security industry sources said there was no trace so far of the stolen data being advertised for sale on dark websites used by cyber criminals.
Last April, WH Smith’s online card business Funkypigeon was forced to suspend its online ordering process for a week after hackers got into its computer
systems. This ultimately cost it £4m, according to the retailer’s most recent accounts.
WH Smith has written to current and former employees who were caught up in the hack, advising them how to secure their data, such as changing their online banking passwords, and offering them credit history checks through Experian.
Notifying the City about the incident, WH Smith said it “takes the issue of cyber security extremely seriously and investigations into the incident are ongoing”.
Jon Baines, senior data protection specialist at London law firm Mishcon de Reya, said: “Based on its last annual statements, WH Smith faces a maximum fine of up to £56m under UK law.
“Under UK data protection reguations companies can be fined £17.5m or 4pc of their annual revenue, whichever is higher. In practice, the Information Commissioner’s Office must take a proportionate approach when fining companies who lose control of large amounts of personal data.”