Hacked | Cyber attack on WH Smith staff data leaves HR with a slew of ethical issues to tackle

Cyber attack on WH Smith staff data leaves HR with a slew of ethical issues to tackle

WH Smith fell victim to a cyber attack last week, with hackers gaining access to confidential employee details and sparking questions about HR’s role in digital security.

The high street retailer revealed that data including names, addresses, National Insurance numbers and dates of birth had been breached. The leak includes details of current employees but also former staff who remain on the company’s database.

WH Smith did not say how many current and ex-employees had been affected, but the company employs about 10,000 people in the UK.

Customer accounts and customer databases are not affected, the firm said, while confirming that an investigation had been launched.

A statement published to the London Stock Exchange said: “WH Smith PLC has been the target of a cyber security incident which has resulted in illegal access to some company data, including current and former employee data. Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities.

“WH Smith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing. We are notifying all affected colleagues and have put measures in place to support them.

“There has been no impact on the trading activities of the Group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.”

The Information Commissioner's Office has also launched a probe into the matter.

Why cyber security is not just an issue for IT, but for HR as well

The top brass at WH Smith are already looking into how such a breach occurred. Naturally their attention will be on strengthening their IT prowess. So this is an IT issue right, as opposed to something HR should be addressing too? Not exactly. 

The ICO and UK government both state that the number one cause for data breaches in the UK is human error, so it’s vital to get the human element of your cybersecurity in check.

If your cybersecurity is compromised and details of salaries, mental health treatments, family members, payment info or full identities are compromised, it’ll be HR working around the clock to pick up the pieces. Secondly, under the Data Protection Act of 2018 and the GDPR, HR holds both personal and sensitive information that must be stored, accessed, secured and processed in compliant ways.


12 Steps To People Technology Success

12 Steps To People Technology Success

Changing your HR software is a big decision and an even bigger project. It’s vital to get right, and yet it also something which you may never have done before.

In this guide you will be provide you with the answers you need, the common pitfalls and bottlenecks, and the realistic expectations you should have for a project like this.

We’ve distilled our experiences into our comprehensive guide, 12 Steps To People Technology Success.

This detailed resource is your companion throughout the whole process, from making the case for a new system, right through to a successful roll out across the business. 

Show more
Show less

Unfortunately, it’s not just something that even SMEs can “leave to IT”. Having thorough, frank discussions with your security and data protection personnel is vital to making sure that the information you keep – both the financially vulnerable stuff and the sensitive information of staff – is kept safe.

“By far, the most important thing for HR leaders to understand is that data protection is everyone’s responsibility,” explained Steve Ryan, Senior Consultant for security company BARR Advisory.

With the UK Government reporting that 39% of UK businesses suffered an attack in 2022 alone, and only 19% having a response plan in place should an attack occur, it’s clear that this is a huge gap in both resource and risk planning for British organisations.

Reporting and your obligations

Reporting from SMEs wasn’t as good as it should be, according to the report, mainly because of lack of detection. And even enterprise organisations failed to reach 100% detection and reporting last year.

Remember that your organisation is required to report cyber attacks and data breaches that aren’t from attacks to the Information Commissioner’s Office (ICO), as well as to any individuals (employees, suppliers, partners and customers) who were or may have been affected by the infringement. You have 72 hours to do this.

What can HR do to tighten up cybersecurity?

James Bore, a ‘cyber security hygienist’ and head of security consultancy Bores Group, believes that that 'data minimisation' is the key to beefing up your digital security.

“One of the most useful principles when you’re looking at personal data protection is data minimisation. You should only keep the data that you actually need. Anything sensitive should only be accessible when needed and should not be retained any longer than needed. When we’re dealing with HR, this can (and often does) involve highly sensitive personal data, and so any policy or other controls put in place should be clear on the technical and procedural safeguards around data.

Read more from us

“As an example, while health data may be important for accommodations to be made in the workplace, it’s rarely needed and so should be behind some form of gateway to be accessed when needed, not as a standard part of HR’s working day.”

Bore concludes: “Often, it’s not even necessary for HR to have specifics on employees for some of the most sensitive data (e.g., protected characteristics that fall under DE&I), and there are services who can act as guardians of the data – not holding any of the identities themselves, and providing the aggregate data that HR needs without putting anyone at risk by identifying or outing them in that summary.”

Sum it up

In summary, HR holds a lot of personal and highly sensitive information on employees, from the moment of recruitment the whole way through to retirement. You’ll also be the ones picking up the pieces should, for example, a member of your workforce, who may be part of the LGBT+ community, have their sexuality disclosed before they were comfortable with publicly sharing this information, or for it to be revealed that a team member has a chronic illness or for employees’ sensitive financial info to be breached.

The best time to review your cybersecurity methods is yesterday. The second best time is today.


Be the first to comment.

You are currently previewing this article.

This is the last preview available to you for the next 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.