Workplace services-flinger Sodexo pulls Engage website after division hit by malware smackdown

UK information commish is investigating


Employee benefits firm Sodexo has suffered a data breach exposing personal info believed to include names, email addresses and home addresses after UK arm Sodexo Motivation Solutions’ internal IT systems were hit by malware.

In the wake of the breach, it pulled Engage's staff-facing retail discount and perks website lifestylehub.co.uk offline "after receiving some reports that users of this platform have received phishing emails". It said this was a "precaution" as "there was no evidence the employee benefits platform had been attacked by this malware".

The site remained unavailable at the time of publication on Wednesday.

The lifestylehub.co.uk website was taken offline following a breach, which is being investigated by the ICO

Sodexo's lifestylehub.co.uk was down this morning (click to enlarge)

El Reg became aware of the incident via a tip from a UK enterprise user of Engage's services. The breach notice is here.

Sodexo Engage describes itself as a "specialist in employee and consumer engagement".

The latest incident exposed personal information believed to include names, email addresses and home addresses, but Sodexo would not provide any detail on how many people were affected or on the nature of the malware. It said it had no evidence financial data had been "compromised".

A spokesperson for the Information Commissioner's Office said: "We are aware of an incident involving Sodexo Motivation Solutions UK Ltd and we will be making enquiries."

A Sodexo spokesperson told The Reg:

We have discovered that malicious software (malware), undetectable by leading antivirus software, has caused a data breach of Sodexo Engage’s internal IT systems. A team of CREST-approved security specialists are working with us to investigate this issue and ensuring that we are preventing any further leaks of personal information. We have found no evidence so far that any financial information has been compromised. We have informed those customers affected and continue to update them.

Sodexo provides worker perks like cinema vouchers and money off at stores such as B&Q in addition to facilities management services.

Sodexo Filmology, another arm of the parent firm, suffered a more serious leak in April this year that exposed credit card details. Members were advised to cancel their payment cards in the wake of the breach. Sodexo told us the Filmology platform was a separate entity which was "completely separate from the Sodexo IT Infrastructure".

We'll update this story as and when more information comes to hand. ®

Similar topics


Other stories you might like

  • Spain, Austria not convinced location data is personal information
    Privacy group NOYB sues to get telcos to respect GDPR data access rights

    Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

    EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

    In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022