WHSmith cyber attack

Books and stationary retailer WHSmith said it has fallen victim to a cyber attack that saw hackers access company data including sensitive information about employees. 

In a statement, the British high-street giant said a “cyber security incident” had resulted in illegal access to company data including current and former employee information. 

The hack has not impacted trading activities, WHSmith stressed on its website, and customer accounts and databases were stored on other, unaffected systems.

“Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities,” WHS Smith said. 

“WHSmith takes the issue of cyber security extremely seriously and investigations into the incident are ongoing. We are notifying all affected colleagues and have put measures in place to support them.”

Cyberwarfare on the British high street 

The attack comes amid a wave of cyber attacks on British retailers in recent months. At the end of January, JD sports was also hit with a cyber attack affecting 10 million customers.

Hackers seized customer addresses, phone numbers and email addresses, with the sports retailer urging customers to “stay vigilant” as the implications of the attack unfolded. 

That same month, Royal Mail was left powerless after a Russia-link ransomware attack left the delivery service in chaos, halting international deliveries for weeks.

It’s not WHSmith's first rodeo either. In April last year, WHSmith-owned online greeting card company Funky Pigeon was hit by a cyber-attack that left it unable to process orders for several days.

To read more about cyber attacks, visit our Business Continuity Page. 

Attacks on UK enterprises overall have surged in recent months, with some of the largest and most well-respected corporations and critical public services being targeted by hackers. 

According to the CyberEdge 2022 Cyberthreat Defense Report (CDR), over 80 per cent of UK businesses fell victim to cyberattacks in 2022, and the number is expected to rise this year. 

Retailers like WHSmith were the single biggest source of fraudulent activity in terms of the number of cases in 2020, with 67,400 cases and £103 million stolen that year. 

A report by Money.co.uk found that criminals are stealing larger sums of money in each fraud, with a total of £4 billion being stolen in the space of a year. 

“Cybercrime has been dominating the headlines over the past two years as fraudsters are becoming more sophisticated in their attacks, the report summary wrote. 

“Successful criminals are stealing hundreds of thousands of pounds from just a single intrusion in some cases,” it added.

Experts call for better legislation on cybercrime

As the rate of attacks surges, experts warn that the UK government needs to do more to protect public services and take action on enterprises failing to protect the data of their customers. 

Speaking to an audience of police, business leaders and security staff on Wednesday (March 1) Chair of the City of London Police Authority Board James Thomson, said: “too many cases are scuppered by the weaponisation of disclosure by defence teams”.

The former City of London Police special constable said it was “critical” that government includes an offence of ‘failure to prevent fraud’ in the Economic Crime and Corporate Transparency Bill, which “needs to have real teeth”.

Mr Thomson said that fraud and cybercrime now account for more than 40 per cent of all offences, but the investigation and prosecution of fraud nationally, while improving, “still remains low…and under prioritised”, with just under two per cent of overall policing resources dedicated to tackling it.

Cybersecurity experts agree. In response to the recent attack on Royal Mail. Ricard Staynings, Chief Security Strategist at Cylera, told EM360: “critical industries seem to be constantly attacked and damaged, suggesting that the UK government is not taking cybersecurity seriously enough.” 

“When a critical infrastructure industry is disrupted or attacked, its impact travels far, affecting many other businesses and individuals. For this reason, these industries are supposed to be afforded extra levels of protection by the government,” he added.