IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Wetherspoon pub chain reveals massive data leak

Details of hundreds-of-thousands of customers stolen by hackers


JD Wetherspoon, one of the biggest pubcos in the UK, has suffered a huge data theft incident, with hackers making off with the details of over 600,000 customers, including the details of around 100 credit and debit cards.

The company revealed today that its old website, was hacked in June and an associated database, containing the details of 656,723 customers and an unknown number of employees, was stolen.

The customer details were, in the majority of cases, limited to names, phone numbers, dates of birth, and email addresses, but 100 of those affected had "extremely limited credit/debit card details ... accessed".

"Only the last four digits of the card numbers were obtained since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date was not compromised," the company said in a statement.

"As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes."

However, Simon Keates, a consultant in mobile security at Thales e-Security, said the theft of the other personal details "is of no less significant concern".

"In fact, theft of card details is relatively easy to 'deal with' - they can be blocked and replaced," he said. "It's the other - seemingly innocuous - information that can pose a bigger problem.

"Details such as you mother's maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive this information."

Mark James of IT security firm ESET added: "John Hutson, the CEO of JD Wetherspoon, has stated that the breach affected the chain's 'old website', which has since been replaced in its entirety.

"There is a high possibility that little or poor security was involved in the original creation of the [old] site and that in itself led to the site being rewritten. If this was the case, it would be easy to gain access to that data and retrieve all the information and leave without anyone ever noticing."

James and several other security experts have also raised concerns over the fact it took six months for the company to become aware of the breach.

In a statement, the Information Commissioner's Office (ICO) told IT Pro: "We are aware of an incident at JD Wetherspoon and are making enquiries."

JD Wetherspoon hack: what to do if you have been a victim

JD Wetherspoon told customers in an email that it "cannot confirm" yet exactly who has been affected. However, you may be at risk if you have done any of the following:

  • Used the 'Contact Us' form
  • Signed up to receive the JD Wetherspoon newsletter
  • Registered to use 'The Cloud' WiFi in its pubs and opted into receiving company information (e.g. marketing materials
  • Bought Wetherspoon vouchers online anytime between January 2009 and August 2014
  • Began working at JD Wetherspoon before 10 November 2011

Users should be on the lookout for phishing emails, unsolicited phone calls, as well as any unusual bank activity or other indicators of fraud. They should also consider changing their passwords, particularly if they are in the habit of re-using the same ones repeatedly.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022