Information security

Systems Security 

In order to ensure our technology systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner. 

In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our environment. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities. 

To continually assess our security exposure, we regularly conduct external security testing across our systems, with critical systems being tested annually. Systems and applications that are developed are scrutinised for security bugs and weaknesses throughout their development before being launched. 

We have a robust process in place for identifying and escalating security incidents, including established Security Incident and Event Monitoring capabilities. We have a 24×7 Security Operations Centre in place to assess and investigate abnormal activities.  

Keeping ahead of threats is vital, therefore we have a comprehensive threat intelligence capability to proactively alert us potential issues or attacks, allowing us to plan ahead for the eventualities and prevent them before they can cause harm. 

Employee Awareness Training 

We make sure that our employees are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Ongoing training is also undertaken to help further protect our customer, employee and business information. 

Employee information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored. We deliver regular refresher training for office-based teams to ensure it remains current in everyone’s minds. We also have annual refresher training for all employees. 

Advanced Technology security training is also made available to all Technology teams including privileged system users. 

We have a 24×7 Security Operations Centre and Protector Hotline which are available to employees should they wish to make a report of any suspicious activity or concerns. 

Supplier Assurance 

We expect our suppliers to take the same level of care as we do for the information shared with them, and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Whitbread, employee and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits. 

Responsible Reporting of Security Issues 

Whitbread understands that security is essential in maintaining the trust our customers and guests place in us to provide our products and services. Whilst we continue to be vigilant and always seeking to improve our maturity in this space, we recognise the important role that security researchers play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or services, we ask for your help in disclosing it to us in a responsible manner.

If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via information.security@whitbread.com. We encourage you to encrypt sensitive information. 

When reaching out to us, please include:

• A detailed summary of the issue, including a list of steps for how we can reproduce it.
• Correct contact information, such as an email address, by which we can reach you in case we need more information.

Whitbread strongly believes in our responsibility to protect our customers data and their interests in this matter. To that end, we believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.

We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:

Do not attempt to access, modify, destroy, or disclose our users’ information.

Do not attempt to deface or degrade our services.

Do not violate applicable law.

Reporting your vulnerability 

Submissions must include written instructions for reproducing the vulnerability.

If reporting vulnerabilities as a video, we ask you to not post POCs publicly without our consent to video-sharing sites such as YouTube, Vimeo. In the case that you need to share a video please ensure it is password protected.

We ask you do not publicly disclose your submission until Whitbread has evaluated the impact.

The combined contributions of all security professionals in the wider community are essential to keeping us all secure. We thank everyone in this space for their efforts

Bug Bounty

Please be aware that we do not operate bug bounty programme at this time and therefore do not offer rewards by default. Discretionary nonfinancial reward may be offered based on risk and other factors. 

Contacting Information Security 

If you require any further information on how we protect our data/systems, or you have a question for our Information Security Team, please contact them at: information.security@whitbread.com  

You should receive a response within two business days.