The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

£17 Million Or 4% Of Turnover - Will Hacked Sodexo Face Crippling Fine?

Sodexo Data Breach
23 April 2018

Sodexo Engage has been hacked - seriously hacked - with the company having to advise users of one of its services to cancel their credit and debit cards as a result.

Under the incoming GDPR, the company could have faced a £multi-million fine if their systems were deemed not to have been up to scratch.

Sodexo Engage is a specialists in employee and consumer engagement - one of its platforms is Filmology, which is used to incentivise client employees with free or subsidised access to cinemas. It carries the 'Quality of Life'  subtag as its FM counterpart as the businesses have synergies - Engage will offer managed employee benefits to its own staff and to its FM clients amongst others.

A spokesperson told ThisWeekinFM: “We are aware that there has been unlawful access to personal data that was used on certain Filmology platforms. We immediately notified the authorities, including law enforcement agencies and customers."

Under incoming GDPR it is incumbent on those that suffer a data breach inform the authorities (there are different mechanisms including via the Information Commissioner's Office). This incident was so serious, it came to the attention of the National Cyber Security Centre.

The Sodexo spokesperson continued: "This incident has been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists."


Business suspended

"For this reason," said the spokesperson, "we have taken the decision to remove access to the current site for the foreseeable future. This is to eliminate any further potential risk to our consumers and to ensure we continue to protect their data. We are also advising customers that have completed transactions on the site between 19th March-3rd April 2018 to contact their card issuer to cancel their payment card, as a precaution.

"We apologise for the inconvenience this has caused and are doing all that we can to provide access to these benefits via alternative means. We will share more information on this with our customers in due course."


National Cyber Security Centre

The NCSC reported the incident on Friday 13: 'The facilities management company Sodexo has confirmed a targeted attack on its cinema voucher platform Filmology. As the breach resulted in unauthorised access to payment card data, the platform has been taken down for the foreseeable future. The company has advised Filmology users who used the service between 19 March and 3 April to cancel their credit cards.  Advice to cancel payment cards is relatively unusual following a data breach'.


Great Western Rail

The same NCSC Threat Report noted: 'Great Western Rail has advised customers to change their passwords after unauthorised attempts to access accounts. The attack likely used password data harvested from other areas of the internet. GWR confirmed that around 1,000 users have been directly affected'.

The NCSC advices customers who have online accounts with companies who have reported a data breach to reset their passwords on every service where they have used a similar password.


Information Commissioner

Elizabeth Denham - the UK Information Commissioner told ThisWeekinFM: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the data Protection Act allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."


Sodexo Engage

Sodexo Engage provides an online portal, payment processing and delivery system for employee benefits that range from cinema tickets to medical services. they also handle the employee communications to let staff know about the benefits/incentives and how they're doing. Users can top up or buy extras with their own credit or debit cards.

'Our aim is that every business should be able to provide the benefits that their employees need to be happy and engaged at work, without having to worry about their HR team’s resources. We handle the implementation and admin legwork. It’s about improving lives and creating positive experiences – all of which are connected to you, the employer that really cares', goes the marketing blurb. 'Whether you’re trying to engage with your staff, your customers, or the communities you work in, we’re the glue that sticks business and people together'.

Seems the glue may have come unstuck!

Picture: Sodexo Engage Filmology is unlikely to face a crippling data breach fine - but watch this space.


Finnish data breach linked to supply chain

A recent compromise of a website belonging to the Finnish Enterprise Agency illustrates some of the risks associated with outsourcing. The maintenance and data security of the website was subcontracted to a third party organisation, which reportedly stored the passwords in clear text.  The breach is estimated to have revealed the usernames and passwords of 130,000 users. The Finnish Communications Regulatory Authority has confirmed it as the third largest data breach in Finland to date, in terms of the number of user accounts compromised.

The threat via the supply chain was highlighted as one of the four key trends of 2017 in a joint report - ‘The Cyber Threat to UK Business’ - published by the NCSC and National Crime Agency in April.


Article written by Brian Shillibeer | Published 23 April 2018


Related Articles

From Russia With Loath - World Cyber War Happening

A joint US-UK statement has been made on malicious cyber activity carried out by the Russian government. The National Cyber Security Centre (NCSC), Federal Bureau of...

 Read Full Article
123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Attack On Critical National Infrastructure Imminent

Over half of the respondents to a survey have said they believe an attack on critical national infrastructure is imminent. Most respondents also think the convergence...

 Read Full Article
From Russia with Loath - What Has Happened?

Exactly what is going on and who should be worried as the US Department of Homeland Security, FBI and the UK’s National Cyber Security Centre release a joint...

 Read Full Article
National Warning as Major Cyber Attack Detected

Third parties who manage large organisations’ IT services have been attacked by suspected cyber terrorists the government's  National Cyber Security Centre...

 Read Full Article
How to Identify and Address IoT Security Weaknesses

Data-driven facilities management is now the expected norm, but security concerns about IoT systems still remain amongst FMs and tenants. The Internet of Things (IoT)...

 Read Full Article
FM Leaders Win at British Ex-Forces Business Awards 2022

FM leaders from Churchill Services, Mace and Sodexo have been recognised for their contribution to the business world as military veterans. At the fifth annual British...

 Read Full Article
Sodexo Extends Partnership With IPS and Tork

Sodexo has extended its partnership with the Infection Prevention Society and Tork, Essity’s hygiene brand. The renewed partnership, which initially began in...

 Read Full Article
NHS IT Services Supplier Victim of Ransomware Attack

It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...

 Read Full Article
Smart Buildings at Increased Risk of Cyber Attacks, Says Verdantix

The operational technology that powers connected devices across building systems is providing more entry points for cyber criminals to exploit, says research and advisory...

 Read Full Article