Skip links

Intruder alert: UK retailer WH Smith hit by another data leak

Less than a year after its online greetings card subsidiary Funky Pigeon was attacked, WH Smith has admitted someone broke into its systems.

In a typically passive statement, the magazines, paperbacks and sweeties retailer posted a London Stock Exchange notice to investors this morning explaining it had been the “target of a cyber security incident.”

Public companies like WH Smith – which is is a constituent of the FTSE 250 Index – have to disclose these things under financial regulator rules, lest shareholders sue them at a later date for not coughing up the information in a timely manner.

WH Smith said the attack had “resulted” in illegal access to some company data, including on current and former employees.

However, its website, customer accounts and “underlying customer databases” were on separate systems that were not accessed, it said. As for the staffers whose data was snaffled, it is “notifying all affected colleagues and have put measures in place to support them.”

It added: “Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities.”

The group, which is just weeks away from reporting its results for the half year to February 28, added that it had seen “strong trading performance” and that its commercial activities were not affected.

In April last year, someone illegally accessed systems of WH Smith’s subsidiary Funky Pigeon. The online greetings card and gifts business had to stop taking orders during the attack, but said that payment data was not affected. Just days before, the company’s social media feeds had been telling customers that “technical issues” were delaying new business being processed. It did not clarify which data was accessed.

The latest developments at WH Smith come a week after the Royal Mail resumed international shipments as it recovers from an attack by individuals who said they weren’t, and then that they were, part of Russia-linked group LockBit. The malware slingers appear to have given up on getting the ransom they asked from Royal Mail and published some files it claimed were from the stolen loot.

The Royal Mail told Reuters that its investigation didn’t find any financial or sensitive customer information among the data the thieves stole. ®