LEAKS IN COFFEE SHOPS normally result in spilt foam and third-degree burns, but not in Costa Coffee’s case, where it resulted in data belonging to employees and job applicants being exposed.

Heritage British retailer Fortnum & Mason and digital challenger bank Monzo have both been impacted by a significant data breach as hackers identified a security weakness within a third-party company the two brands have worked with in the past.

The attack hit clients of Typeform, a survey company based in Barcelona.

Fortnum & Mason released a statement saying around 23,000 customers who had entered a competition organised by Typeform had their email addresses exposed to the hackers. The retailer said the hacker also managed to gain data including address, contact number and social media handles from a “smaller proportion” of customers. No bank, payment or passwords have been exposed and all customers have been notified, said Fortnum & Mason.

A F&M spokesperson said: “There has been no breach of Fortnum & Mason’s website or database, and all data which we hold is unaffected by this breach. We have disabled any and all Typeform forms existing on our website and will not work with Typeform until we are assured that; there is no further risk, that all our data has been removed from their servers and that their security measures have been improved. We have been informed that Typeform have fixed the root cause and are undertaking forensic investigations.”

Meanwhile, around 20,000 Monzo customers had been affected by the same cyberattack, which resulted in no loss of bank details.

The digital bank broke out the data breach figures, reporting that 19,213 email addresses had been exposed, while the theft of other data has left customers vulnerable:


Breakdown of Monzo data breach:

19,213 – email address

1,600 – postcode and name of old bank

1,434 – Twitter username and email address

908 – email address and university

191 – name, email address, city, age band, salary band

53 – name, email address and employer

7 – name and email address


The bank said all customers had been informed and it has terminated its work with Typeform. It also said it would remove all survey data from any third-party provider within two months of a survey in the future.

Monzo CEO, Tom Blomfield said: “To everyone affected, I’m very sorry. Unfortunately, we can’t ever guarantee that something like this won’t happen, but we’re doing everything we can to protect your data and we’ll learn from this incident.”

He added: “If we get more information on the breach, we’ll give a more thorough update in the near future. Until then, we’ll be working hard to minimise the impact on the people involved and we will ensure that no customer is left out-of-pocket as a result of this breach.”

The details of existing and wannabe Costa Coffee baristas, or whatever the company calls them, were nicked after an online recruitment system belonging to the firms’ parent company Whitbread was breached.

Run by Aussie recruitment software company PageUp, the breach took place last month and saw names, email addresses, phone numbers, physical addresses and employment information exposed.

“Forensic investigations have confirmed that an unauthorised person gained access to PageUp systems,” explained PageUp. “Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk.”

While PageUp is still investigating the incident, it currently appears to be quite confident that the data breach isn’t a biggie.

“For those employees who currently or previously had access to a client’s PageUp instance, current password data is protected using the robust password hashing algorithm, bcrypt, which includes salts, and therefore is considered to be of very low risk to individuals,” the company said, suggesting that some employees change their passwords if they haven’t done so since 2007.

“Password data for applicants was protected using industry best practice techniques, including hashing and salting and therefore evaluated as a very low risk.

“Importantly, we are confident that the most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts are not affected in this incident.”

While PageUp may be confident in its security, there’s no getting away from the fact it was hacked. And hospitality hacks appear to be in vogue, as both Premier Inn, also owned by Whitbread, and competitor Travelodge both suffered data breaches this week.

Both hotel firms saw customer data pilfered in separate breaches. Travelodge’s saw its data spilt after Typeform, a third-party company that handles the hotel’s customer competitions and surveys, suffered a breach.

Premier Inn’s security slip-up was linked to the PageUp hack, though it’s currently unclear if it was the same breach as the one that affected Costa Coffee. We’ve contacted both firms for clarity.

Cyber fraudsters sell login details for price of a coffee

CYBER criminals are selling personal data on the dark web for the price of a cup of coffee, a survey has found.

Email logins, which can be a gateway to financial data, can be sold for as little as £2.10, it adds. Logins for 26 of the most commonly used accounts are available.

Those for Facebook fetch £3.00, Twitter go for £2.50 and Apple IDs command £10.30 while a Netflix login sells for £8.20. Online shopping details with Amazon sell for £9.80, eBay for £9.70 or £2.70 with Tesco.

‘Passport factory’: Equipment and items seized in the raid PICS: NCA /SWNS

The biggest money spinner for crooks is credit, debit cards and PayPal details, which cost £619.40.

Investigators with Money Guru found an individual’s entire personal identity can be bought for £744.30.

Annual fraud against individuals in the UK is estimated to be worth £6.8billion. Money Guru’s head of digital James MacDonald said: ‘Our research into personal data and how much it’s actually worth on the black market is shocking to say the least.

‘For less than £750, criminals can access not only your bank details but online shopping, social media and email information too.

‘This just goes to show how vital it is to protect your data where possible to avoid facing costly consequences.’

Meanwhile, a fake passport ‘factory’ used to supply hundreds of forged documents has been smashed by police in London.

Police held three men — two Latvian nationals and a Ukranian — following what they believed to be a ‘handover’ in Hackney, east London.

READ ALSO: It Takes a Buck to Make a Million on the Dark Web

This article is sponsored by:

GDPR certified

Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit  GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious competitors – It Pays Off!