Employee benefits firm Sodexo has suffered a data breach exposing personal info believed to include names, email addresses and home addresses after UK arm Sodexo Motivation Solutions’ internal IT systems were hit by malware.
In the wake of the breach, it pulled Engage's staff-facing retail discount and perks website lifestylehub.co.uk offline "after receiving some reports that users of this platform have received phishing emails". It said this was a "precaution" as "there was no evidence the employee benefits platform had been attacked by this malware".
@sodexoengage are you still trading? The website for lifestyle hub has been down for a week now.— Oliver Brown (@OliBFresh) October 8, 2018
The site remained unavailable at the time of publication on Wednesday.
El Reg became aware of the incident via a tip from a UK enterprise user of Engage's services. The breach notice is here.
Sodexo Engage describes itself as a "specialist in employee and consumer engagement".
The latest incident exposed personal information believed to include names, email addresses and home addresses, but Sodexo would not provide any detail on how many people were affected or on the nature of the malware. It said it had no evidence financial data had been "compromised".
A spokesperson for the Information Commissioner's Office said: "We are aware of an incident involving Sodexo Motivation Solutions UK Ltd and we will be making enquiries."
A Sodexo spokesperson told The Reg:
We have discovered that malicious software (malware), undetectable by leading antivirus software, has caused a data breach of Sodexo Engage’s internal IT systems. A team of CREST-approved security specialists are working with us to investigate this issue and ensuring that we are preventing any further leaks of personal information. We have found no evidence so far that any financial information has been compromised. We have informed those customers affected and continue to update them.
Sodexo provides worker perks like cinema vouchers and money off at stores such as B&Q in addition to facilities management services.
Sodexo Filmology, another arm of the parent firm, suffered a more serious leak in April this year that exposed credit card details. Members were advised to cancel their payment cards in the wake of the breach. Sodexo told us the Filmology platform was a separate entity which was "completely separate from the Sodexo IT Infrastructure".
We'll update this story as and when more information comes to hand. ®