Wetherspoon pub chain reveals massive data leak

Details of hundreds-of-thousands of customers stolen by hackers

Beer

JD Wetherspoon, one of the biggest pubcos in the UK, has suffered a huge data theft incident, with hackers making off with the details of over 600,000 customers, including the details of around 100 credit and debit cards.

The company revealed today that its old website, was hacked in June and an associated database, containing the details of 656,723 customers and an unknown number of employees, was stolen.

The customer details were, in the majority of cases, limited to names, phone numbers, dates of birth, and email addresses, but 100 of those affected had "extremely limited credit/debit card details ... accessed".

"Only the last four digits of the card numbers were obtained since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date was not compromised," the company said in a statement.

"As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes."

However, Simon Keates, a consultant in mobile security at Thales e-Security, said the theft of the other personal details "is of no less significant concern".

"In fact, theft of card details is relatively easy to 'deal with' - they can be blocked and replaced," he said. "It's the other - seemingly innocuous - information that can pose a bigger problem.

"Details such as you mother's maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive this information."

Mark James of IT security firm ESET added: "John Hutson, the CEO of JD Wetherspoon, has stated that the breach affected the chain's 'old website', which has since been replaced in its entirety.

"There is a high possibility that little or poor security was involved in the original creation of the [old] site and that in itself led to the site being rewritten. If this was the case, it would be easy to gain access to that data and retrieve all the information and leave without anyone ever noticing."

James and several other security experts have also raised concerns over the fact it took six months for the company to become aware of the breach.

In a statement, the Information Commissioner's Office (ICO) told IT Pro: "We are aware of an incident at JD Wetherspoon and are making enquiries."

JD Wetherspoon hack: what to do if you have been a victim

JD Wetherspoon told customers in an email that it "cannot confirm" yet exactly who has been affected. However, you may be at risk if you have done any of the following:

  • Used the 'Contact Us' form
  • Signed up to receive the JD Wetherspoon newsletter
  • Registered to use 'The Cloud' WiFi in its pubs and opted into receiving company information (e.g. marketing materials
  • Bought Wetherspoon vouchers online anytime between January 2009 and August 2014
  • Began working at JD Wetherspoon before 10 November 2011

Users should be on the lookout for phishing emails, unsolicited phone calls, as well as any unusual bank activity or other indicators of fraud. They should also consider changing their passwords, particularly if they are in the habit of re-using the same ones repeatedly.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021