The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

£17 Million Or 4% Of Turnover - Will Hacked Sodexo Face Crippling Fine?

Sodexo Data Breach
23 April 2018

Sodexo Engage has been hacked - seriously hacked - with the company having to advise users of one of its services to cancel their credit and debit cards as a result.

Under the incoming GDPR, the company could have faced a £multi-million fine if their systems were deemed not to have been up to scratch.

Sodexo Engage is a specialists in employee and consumer engagement - one of its platforms is Filmology, which is used to incentivise client employees with free or subsidised access to cinemas. It carries the 'Quality of Life'  subtag as its FM counterpart as the businesses have synergies - Engage will offer managed employee benefits to its own staff and to its FM clients amongst others.

A spokesperson told ThisWeekinFM: “We are aware that there has been unlawful access to personal data that was used on certain Filmology platforms. We immediately notified the authorities, including law enforcement agencies and customers."

Under incoming GDPR it is incumbent on those that suffer a data breach inform the authorities (there are different mechanisms including via the Information Commissioner's Office). This incident was so serious, it came to the attention of the National Cyber Security Centre.

The Sodexo spokesperson continued: "This incident has been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."


Business suspended

"For this reason," said the spokesperson, "we have taken the decision to remove access to the current site for the foreseeable future. This is to eliminate any further potential risk to our consumers and to ensure we continue to protect their data. We are also advising customers that have completed transactions on the site between 19th March-3rd April 2018 to contact their card issuer to cancel their payment card, as a precaution.

"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course."


National Cyber Security Centre

The NCSC reported the incident on Friday 13: 'The facilities management company Sodexo has confirmed a targeted attack on its cinema voucher platform Filmology. As the breach resulted in unauthorised access to payment card data, the platform has been taken down for the foreseeable future. The company has advised Filmology users who used the service between 19 March and 3 April to cancel their credit cards.  Advice to cancel payment cards is relatively unusual following a data breach'.


Great Western Rail

The same NCSC Threat Report noted: 'Great Western Rail has advised customers to change their passwords after unauthorised attempts to access accounts. The attack likely used password data harvested from other areas of the internet. GWR confirmed that around 1,000 users have been directly affected'.

The NCSC advices customers who have online accounts with companies who have reported a data breach to reset their passwords on every service where they have used a similar password.


Information Commissioner

Elizabeth Denham - the UK Information Commissioner told ThisWeekinFM: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the data Protection Act allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."


Sodexo Engage

Sodexo Engage provides an online portal, payment processing and delivery system for employee benefits that range from cinema tickets to medical services. they also handle the employee communications to let staff know about the benefits/incentives and how they're doing. Users can top up or buy extras with their own credit or debit cards.

'Our aim is that every business should be able to provide the benefits that their employees need to be happy and engaged at work, without having to worry about their HR team’s resources. We handle the implementation and admin legwork. It’s about improving lives and creating positive experiences – all of which are connected to you, the employer that really cares', goes the marketing blurb. 'Whether you’re trying to engage with your staff, your customers, or the communities you work in, we’re the glue that sticks business and people together'.

Seems the glue may have come unstuck!

Picture: Sodexo Engage Filmology is unlikely to face a crippling data breach fine - but watch this space.


Finnish data breach linked to supply chain

A recent compromise of a website belonging to the Finnish Enterprise Agency illustrates some of the risks associated with outsourcing. The maintenance and data security of the website was subcontracted to a third party organisation, which reportedly stored the passwords in clear text.  The breach is estimated to have revealed the usernames and passwords of 130,000 users. The Finnish Communications Regulatory Authority has confirmed it as the third largest data breach in Finland to date, in terms of the number of user accounts compromised.

The threat via the supply chain was highlighted as one of the four key trends of 2017 in a joint report - ‘The Cyber Threat to UK Business’ - published by the NCSC and National Crime Agency in April.


Article written by Brian Shillibeer | Published 23 April 2018


Related Articles

123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Attack On Critical National Infrastructure Imminent

Over half of the respondents to a survey have said they believe an attack on critical national infrastructure is imminent. Most respondents also think the convergence...

 Read Full Article
National Warning as Major Cyber Attack Detected

Third parties who manage large organisations’ IT services have been attacked by suspected cyber terrorists the government's  National Cyber Security Centre...

 Read Full Article
Sodexo Welcomes 24 Interns Under 10,000 Black Interns Programme

FM company Sodexo is welcoming 24 paid interns as part of the 10,000 Black Interns Programme. The premise of 10,000 Black interns is to offer transformative career...

 Read Full Article
Spotlight Interview – Francis West | Security Everywhere

Francis West is CEO of Security Everywhere, a company which helps SMEs to secure their money, data and reputation with managed security services. Francis is a trusted...

 Read Full Article
Sodexo Renews FM Contract at Queen’s Hospital in Romford

Sodexo’s catering, retail and soft services FM contract with Queen’s Hospital in Romford has been extended for a further five years. Sodexo has delivered...

 Read Full Article
New Appointments in Facilities Management – February 2023

This month’s new appointments from the FM, built environment and commercial property world feature Portico, Pareto FM and Sodexo.   Picture: a...

 Read Full Article
National Apprenticeship Week 2023 – Skills for Life

BESA is marking National Apprenticeship Week 2023 by encouraging employers to pledge to take on at least one new apprentice this year. Recent government research found...

 Read Full Article
How Can FMs Avoid Food Waste and Reduce Carbon Emissions in 2023?

Organisations are striving to reduce their carbon footprint, and with food waste topping waste streams, the reduction and prevention of food waste should be a priority...

 Read Full Article
Sodexo Extends FM Contract With BASF Chemicals

One of the world’s largest chemical companies, BASF, has awarded a two-year extension to its soft and hard FM services contract with Sodexo. The contract is for...

 Read Full Article