£17 Million Or 4% Of Turnover - Will Hacked Sodexo Face Crippling Fine?

• Content
• News
• £17 Million Or 4% Of Turnover - Will Hacked Sodexo Face Crippling Fine?

23 April 2018

Sodexo Engage has been hacked - seriously hacked - with the company having to advise users of one of its services to cancel their credit and debit cards as a result.

Under the incoming GDPR, the company could have faced a £multi-million fine if their systems were deemed not to have been up to scratch.

Sodexo Engage is a specialists in employee and consumer engagement - one of its platforms is Filmology, which is used to incentivise client employees with free or subsidised access to cinemas. It carries the 'Quality of Life'  subtag as its FM counterpart as the businesses have synergies - Engage will offer managed employee benefits to its own staff and to its FM clients amongst others.

A spokesperson told ThisWeekinFM: “We are aware that there has been unlawful access to personal data that was used on certain Filmology platforms. We immediately notified the authorities, including law enforcement agencies and customers."

Under incoming GDPR it is incumbent on those that suffer a data breach inform the authorities (there are different mechanisms including via the Information Commissioner's Office). This incident was so serious, it came to the attention of the National Cyber Security Centre.

The Sodexo spokesperson continued: "This incident has been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."

 

Business suspended

"For this reason," said the spokesperson, "we have taken the decision to remove access to the current site for the foreseeable future. This is to eliminate any further potential risk to our consumers and to ensure we continue to protect their data. We are also advising customers that have completed transactions on the site between 19th March-3rd April 2018 to contact their card issuer to cancel their payment card, as a precaution.

"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course."

 

National Cyber Security Centre

The NCSC reported the incident on Friday 13: 'The facilities management company Sodexo has confirmed a targeted attack on its cinema voucher platform Filmology. As the breach resulted in unauthorised access to payment card data, the platform has been taken down for the foreseeable future. The company has advised Filmology users who used the service between 19 March and 3 April to cancel their credit cards.  Advice to cancel payment cards is relatively unusual following a data breach'.

 

Great Western Rail

The same NCSC Threat Report noted: 'Great Western Rail has advised customers to change their passwords after unauthorised attempts to access GWR.com accounts. The attack likely used password data harvested from other areas of the internet. GWR confirmed that around 1,000 users have been directly affected'.

The NCSC advices customers who have online accounts with companies who have reported a data breach to reset their passwords on every service where they have used a similar password.

 

Information Commissioner

Elizabeth Denham - the UK Information Commissioner told ThisWeekinFM: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the data Protection Act allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."

 

Sodexo Engage

Sodexo Engage provides an online portal, payment processing and delivery system for employee benefits that range from cinema tickets to medical services. they also handle the employee communications to let staff know about the benefits/incentives and how they're doing. Users can top up or buy extras with their own credit or debit cards.

'Our aim is that every business should be able to provide the benefits that their employees need to be happy and engaged at work, without having to worry about their HR team’s resources. We handle the implementation and admin legwork. It’s about improving lives and creating positive experiences – all of which are connected to you, the employer that really cares', goes the marketing blurb. 'Whether you’re trying to engage with your staff, your customers, or the communities you work in, we’re the glue that sticks business and people together'.

Seems the glue may have come unstuck!

Picture: Sodexo Engage Filmology is unlikely to face a crippling data breach fine - but watch this space.

 

Finnish data breach linked to supply chain

A recent compromise of a website belonging to the Finnish Enterprise Agency illustrates some of the risks associated with outsourcing. The maintenance and data security of the website was subcontracted to a third party organisation, which reportedly stored the passwords in clear text.  The breach is estimated to have revealed the usernames and passwords of 130,000 users. The Finnish Communications Regulatory Authority has confirmed it as the third largest data breach in Finland to date, in terms of the number of user accounts compromised.

The threat via the supply chain was highlighted as one of the four key trends of 2017 in a joint report - ‘The Cyber Threat to UK Business’ - published by the NCSC and National Crime Agency in April.

 

Article written by Brian Shillibeer | Published 23 April 2018

Share

---

---

Related Articles

---