Wetherspoon pub chain reveals massive data leak

Details of hundreds-of-thousands of customers stolen by hackers

Beer

JD Wetherspoon, one of the biggest pubcos in the UK, has suffered a huge data theft incident, with hackers making off with the details of over 600,000 customers, including the details of around 100 credit and debit cards.

The company revealed today that its old website, was hacked in June and an associated database, containing the details of 656,723 customers and an unknown number of employees, was stolen.

The customer details were, in the majority of cases, limited to names, phone numbers, dates of birth, and email addresses, but 100 of those affected had "extremely limited credit/debit card details ... accessed".

"Only the last four digits of the card numbers were obtained since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date was not compromised," the company said in a statement.

"As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes."

However, Simon Keates, a consultant in mobile security at Thales e-Security, said the theft of the other personal details "is of no less significant concern".

"In fact, theft of card details is relatively easy to 'deal with' - they can be blocked and replaced," he said. "It's the other - seemingly innocuous - information that can pose a bigger problem.

"Details such as you mother's maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive this information."

Mark James of IT security firm ESET added: "John Hutson, the CEO of JD Wetherspoon, has stated that the breach affected the chain's 'old website', which has since been replaced in its entirety.

"There is a high possibility that little or poor security was involved in the original creation of the [old] site and that in itself led to the site being rewritten. If this was the case, it would be easy to gain access to that data and retrieve all the information and leave without anyone ever noticing."

James and several other security experts have also raised concerns over the fact it took six months for the company to become aware of the breach.

In a statement, the Information Commissioner's Office (ICO) told IT Pro: "We are aware of an incident at JD Wetherspoon and are making enquiries."

JD Wetherspoon hack: what to do if you have been a victim

JD Wetherspoon told customers in an email that it "cannot confirm" yet exactly who has been affected. However, you may be at risk if you have done any of the following:

  • Used the 'Contact Us' form
  • Signed up to receive the JD Wetherspoon newsletter
  • Registered to use 'The Cloud' WiFi in its pubs and opted into receiving company information (e.g. marketing materials
  • Bought Wetherspoon vouchers online anytime between January 2009 and August 2014
  • Began working at JD Wetherspoon before 10 November 2011

Users should be on the lookout for phishing emails, unsolicited phone calls, as well as any unusual bank activity or other indicators of fraud. They should also consider changing their passwords, particularly if they are in the habit of re-using the same ones repeatedly.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Monero miners target cloud-native development environments
cryptocurrencies

Monero miners target cloud-native development environments

5 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
Malicious ‘dependency confusion’ packages are stealing password files
hacking

Malicious ‘dependency confusion’ packages are stealing password files

2 Mar 2021
AOL users are the target of a new phishing campaign
phishing

AOL users are the target of a new phishing campaign

1 Mar 2021

Most Popular

Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021
I went shopping at Amazon’s till-less supermarket so that you don’t have to
automation

I went shopping at Amazon’s till-less supermarket so that you don’t have to

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021