view share price

Information security

Protecting Customer, Employee and Supplier data

Information and systems are amongst Whitbread’s most valuable assets.  
 
Protecting these is critical to sustainability and competitiveness of our business as well as keeping the trust of our customers, employees, suppliers and investors.  

For these reasons, Information Security and Data Privacy are identified as principal risks for the business in our annual report

We take the responsibility of being entrusted with our customers and employees personal data very seriously and we’re committed to protecting all data with the highest levels of security. Our multi-year Information Security programme continues to review and enhance across our security capabilities where required. 

We are committed to protecting all information in accordance with; its value, its sensitivity, our customer and employee expectations, our business goals, and regulatory requirements.

Governance

Accountability for Information Security sits with the Chief Information Security Officer who reports directly to the Group Operations Director on a day to day basis.

In addition, the Board and Executive Directors receive detailed updates on our risk management and mitigation activities through the following committees:  

  • Group Executive Committee 
  • Group Audit Committee 
  • Compliance and Risk Committees 

Risk Management 

To deliver and demonstrate our commitment, we have developed policies that set out our ambition and have implemented controls to prevent, detect and mitigate risks. We have adopted a risk-based approach which is used in prioritising activities on those areas that are highest risk to the business.  

We have also established reporting processes to raise visibility with leadership teams and continuously invite challenge through independent reviews and audits. 

Our objectives are to preserve:
  • Confidentiality:
    We take the highest level of care in protecting information in line with its classification/risk. 
  • Integrity:
    We have robust systems and processes to ensure that information is complete and accurate. 
  • Availability:
    We ensure systems and Information are available at the time when they are needed.

Below are several examples of some of our activities; 

Compliance & Frameworks

In order to ensure we are following best practices, we subscribe to the ISF Framework at the heart of our Information Security Strategy, which also utilises components from ISO27001. 

Our Restaurants business is also certified to PCI-DSS, which is externally assessed annually.  

Each year we are externally assessed on our overall Information Security maturity against others in our industry area and have continued to improve in this scoring year on year. 

Business Continuity

To maintain the successful ongoing operation of our business, we conduct annual business impact assessments across our functions to identify the capabilities, needs and criticalities to our business.  We then implement response plans, controls and mitigations to help protect those essential processes.   

This includes testing the disaster recovery and resilience of our IT systems. 

Systems Security 

In order to ensure our technology systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner. 

In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our environment. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities. 

To continually assess our security exposure, we regularly conduct external security testing across our systems, with critical systems being tested annually. Systems and applications that are developed are scrutinised for security bugs and weaknesses throughout their development before being launched. 

We have a robust process in place for identifying and escalating security incidents, including established Security Incident and Event Monitoring capabilities. We have a 24×7 Security Operations Centre in place to assess and investigate abnormal activities.  

Keeping ahead of threats is vital, therefore we have a comprehensive threat intelligence capability to proactively alert us potential issues or attacks, allowing us to plan ahead for the eventualities and prevent them before they can cause harm. 

Employee Awareness Training 

We make sure that our employees are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Ongoing training is also undertaken to help further protect our customer, employee and business information. 

Employee information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored. We deliver regular refresher training for office-based teams to ensure it remains current in everyone’s minds. We also have annual refresher training for all employees. 

Advanced Technology security training is also made available to all Technology teams including privileged system users. 

We have a 24×7 Security Operations Centre and Protector Hotline which are available to employees should they wish to make a report of any suspicious activity or concerns. 

Supplier Assurance 

We expect our suppliers to take the same level of care as we do for the information shared with them, and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Whitbread, employee and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits. 

Responsible Reporting of Security Issues 

Whitbread understands that security is essential in maintaining the trust our customers and guests place in us to provide our products and services. Whilst we continue to be vigilant and always seeking to improve our maturity in this space, we recognise the important role that security researchers play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or services, we ask for your help in disclosing it to us in a responsible manner.

If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via information.security@whitbread.com. We encourage you to encrypt sensitive information. 

When reaching out to us, please include:

  • A detailed summary of the issue, including a list of steps for how we can reproduce it.
  • Correct contact information, such as an email address, by which we can reach you in case we need more information.

Whitbread strongly believes in our responsibility to protect our customers data and their interests in this matter. To that end, we believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.

We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:

Do not attempt to access, modify, destroy, or disclose our users’ information.

Do not attempt to deface or degrade our services.

Do not violate applicable law.

Reporting your vulnerability 

Submissions must include written instructions for reproducing the vulnerability.

If reporting vulnerabilities as a video, we ask you to not post POCs publicly without our consent to video-sharing sites such as YouTube, Vimeo. In the case that you need to share a video please ensure it is password protected.

We ask you do not publicly disclose your submission until Whitbread has evaluated the impact.

The combined contributions of all security professionals in the wider community are essential to keeping us all secure. We thank everyone in this space for their efforts

Bug Bounty

Please be aware that we do not operate bug bounty programme at this time and therefore do not offer rewards by default. Discretionary nonfinancial reward may be offered based on risk and other factors. 

Contacting Information Security 

If you require any further information on how we protect our data/systems, or you have a question for our Information Security Team, please contact them at: information.security@whitbread.com  

You should receive a response within two business days. 

Visit our brand sites