The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

£17 Million Or 4% Of Turnover - Will Hacked Sodexo Face Crippling Fine?

Sodexo Data Breach
23 April 2018

Sodexo Engage has been hacked - seriously hacked - with the company having to advise users of one of its services to cancel their credit and debit cards as a result.

Under the incoming GDPR, the company could have faced a £multi-million fine if their systems were deemed not to have been up to scratch.

Sodexo Engage is a specialists in employee and consumer engagement - one of its platforms is Filmology, which is used to incentivise client employees with free or subsidised access to cinemas. It carries the 'Quality of Life'  subtag as its FM counterpart as the businesses have synergies - Engage will offer managed employee benefits to its own staff and to its FM clients amongst others.

A spokesperson told ThisWeekinFM: “We are aware that there has been unlawful access to personal data that was used on certain Filmology platforms. We immediately notified the authorities, including law enforcement agencies and customers."

Under incoming GDPR it is incumbent on those that suffer a data breach inform the authorities (there are different mechanisms including via the Information Commissioner's Office). This incident was so serious, it came to the attention of the National Cyber Security Centre.

The Sodexo spokesperson continued: "This incident has been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."


Business suspended

"For this reason," said the spokesperson, "we have taken the decision to remove access to the current site for the foreseeable future. This is to eliminate any further potential risk to our consumers and to ensure we continue to protect their data. We are also advising customers that have completed transactions on the site between 19th March-3rd April 2018 to contact their card issuer to cancel their payment card, as a precaution.

"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course."


National Cyber Security Centre

The NCSC reported the incident on Friday 13: 'The facilities management company Sodexo has confirmed a targeted attack on its cinema voucher platform Filmology. As the breach resulted in unauthorised access to payment card data, the platform has been taken down for the foreseeable future. The company has advised Filmology users who used the service between 19 March and 3 April to cancel their credit cards.  Advice to cancel payment cards is relatively unusual following a data breach'.


Great Western Rail

The same NCSC Threat Report noted: 'Great Western Rail has advised customers to change their passwords after unauthorised attempts to access accounts. The attack likely used password data harvested from other areas of the internet. GWR confirmed that around 1,000 users have been directly affected'.

The NCSC advices customers who have online accounts with companies who have reported a data breach to reset their passwords on every service where they have used a similar password.


Information Commissioner

Elizabeth Denham - the UK Information Commissioner told ThisWeekinFM: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the data Protection Act allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."


Sodexo Engage

Sodexo Engage provides an online portal, payment processing and delivery system for employee benefits that range from cinema tickets to medical services. they also handle the employee communications to let staff know about the benefits/incentives and how they're doing. Users can top up or buy extras with their own credit or debit cards.

'Our aim is that every business should be able to provide the benefits that their employees need to be happy and engaged at work, without having to worry about their HR team’s resources. We handle the implementation and admin legwork. It’s about improving lives and creating positive experiences – all of which are connected to you, the employer that really cares', goes the marketing blurb. 'Whether you’re trying to engage with your staff, your customers, or the communities you work in, we’re the glue that sticks business and people together'.

Seems the glue may have come unstuck!

Picture: Sodexo Engage Filmology is unlikely to face a crippling data breach fine - but watch this space.


Finnish data breach linked to supply chain

A recent compromise of a website belonging to the Finnish Enterprise Agency illustrates some of the risks associated with outsourcing. The maintenance and data security of the website was subcontracted to a third party organisation, which reportedly stored the passwords in clear text.  The breach is estimated to have revealed the usernames and passwords of 130,000 users. The Finnish Communications Regulatory Authority has confirmed it as the third largest data breach in Finland to date, in terms of the number of user accounts compromised.

The threat via the supply chain was highlighted as one of the four key trends of 2017 in a joint report - ‘The Cyber Threat to UK Business’ - published by the NCSC and National Crime Agency in April.


Article written by Brian Shillibeer | Published 23 April 2018


Related Articles

123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Attack On Critical National Infrastructure Imminent

Over half of the respondents to a survey have said they believe an attack on critical national infrastructure is imminent. Most respondents also think the convergence...

 Read Full Article
National Warning as Major Cyber Attack Detected

Third parties who manage large organisations’ IT services have been attacked by suspected cyber terrorists the government's  National Cyber Security Centre...

 Read Full Article
Sodexo Signs New FM Contract With AstraZeneca

Sodexo has re-signed a five-year facilities management and food services deal with pharmaceutical and biotechnology company AstraZeneca. The companies have worked...

 Read Full Article
Sodexo Retains FM Contract With Wellington College in Berkshire

Sodexo has re-signed a ten-year soft FM contract with private school Wellington College in Berkshire. The contract is worth approximately £80 million and...

 Read Full Article
Catering Companies Prepare for World’s Largest Climate-Football Campaign

A national campaign will see more than 85 of the UK’s top football clubs promote plant-based burgers, pies and hotdogs. Between 2-5 February, the whole of the...

 Read Full Article
Reported Ransomware Incidents in UK Doubled in 2023

A Freedom of Information request has revealed that there was a resurgence in ransomware-related incidents following a quieter 2022.   In the first six months...

 Read Full Article
Sodexo Announces Year-On-Year Increase in Popularity of Meat-Free Meals

Across the 2.7 million meals sold in Sodexo’s UK and Ireland client sites in 2023, 11 per cent were vegan or vegetarian, an increase of one per cent from...

 Read Full Article
Sodexo Issues Net-Zero Deadline to Suppliers

Sodexo has stated that it will only work with suppliers who demonstrate tangible net-zero progress “through published reporting” in the future. As part of...

 Read Full Article
Sodexo Re-Signs Four Year Cleaning Contract With Clifton College

Sodexo has extended its existing FM deal with Clifton College in Bristol, adding cleaning and laundry services to the contract. The contract, which has a value of...

 Read Full Article