JD Wetherspoon loses 650,000 customer records in database breach

JD Wetherspoon, the British pub outfit, suffered a leak of its customer details, affecting over 650,000 customers, four times more than the TalkTalk hack.

JD Wetherspoon in Victoria Station, London
JD Wetherspoon in Victoria Station, London

British pub chain JD Wetherspoon has suffered a leak of its customer details affecting more than 650,000 customers.

This is four times the number of customers hacked in the TalkTalk breach. Wetherspoon said credit and debit card data losses were limited to 100 customers who lost only the last four digits of their card numbers.

The company said, “These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.”

According to a statement from the company, customers who signed up to receive Wetherspoon's newsletter, registered with Sky's The Cloud to use Wi-Fi in its pubs, submitted a 'contact us' form on the website or bought vouchers online before August 2014 were affected.

The data gathered from these sources contained customers' names, dates of birth, email addresses and phone numbers.

Operating 900 pubs across Britain and employing 33,000 staff, personal staff details registered before 10th November 2011 were stolen too, but no salary, bank, tax or national insurance information was accessed.

In a statement, JD Wetherspoon CEO John Hutson said, "Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."

Hutson added: “We apologise wholeheartedly to customers and staff who have been affected.”

The hack happened between 15-17 June on the pub chain's old website, which has since been replaced. The data accessed was held by a third-party company but the attack had remained undetected. Wetherspoon became aware of a possible breach on 1 December after it was contacted by a reporter from the Financial Times, and it was confirmed the following day.

An email sent to customers, notifying them of the breach, stated: “This website has since been replaced in its entirety.”

It added, “Our current website is managed by a new digital partner. The new partner has no connection to the website that was the subject of the breach of security.”

Refuting comments that they don't take security seriously, the company said, “We take any threat to the security of our customers' data very seriously. We regularly review and update our systems to maximise security and we are reviewing this breach with the help of expert advice to understand this incident and prevent a recurrence.”

The breach was discovered by cyber-security company CyberInt, which linked the Wetherspoon hack to a Russian group on the Dark Web.

Speaking to the FT, Elad Ben Meir, vice-president at CyberInt, said, “Companies who wish to avoid the massive reputational and financial damage that often follows these types of events should not only reinforce their own ‘traditional' cyber defences but should take a more proactive stance to defending against such attacks.”

He continued: “This can be done by collecting targeted cyber intelligence from thousands of sources including the dark web, the deep web, social networks and other sources, and by continuously assessing the organisation's resilience to these attacks.”

According to the pub chain, the Information Commissioner's Office has been informed and an investigation has begun.

Gavin Millard, chief technical director (EMEA) at Tenable Network Security, said, "Organisations who collect data from customers on their website should ensure that the code deployed is designed with security in mind, auditing continuously for easily exploitable flaw and indicators of misuse.”

Simon Keates, consultant in mobile security at Thales e-Security, commented, “Theft of card details is relatively easy to ‘deal with' – they can be blocked and replaced. It's the other – seemingly innocuous – information that can pose a bigger problem. Details such as your mother's maiden name, your date of birth and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive information. Armed with this information, hackers can continue to commit behavioural attacks well beyond the initial breach.”

Paul McEvatt, senior cyber threat intelligence manager, UK and Ireland at Fujitsu, said, “According to research from Fujitsu, only nine percent of consumers believe British organisations are doing enough to protect their data. So organisations need to ensure that they do more as cyber-criminals continue to evolve, by remaining ahead of their competitors and robust in their security.”

Matt Middleton-Leal, regional director UK and Ireland at CyberArk, commented: “While details of this breach are still emerging, the most worrying aspect is that suspicious activity was seemingly not detected until recently, leaving the attackers on the inside of the network and able to gather sensitive data for several months.”

Justin Basini, co-founder and CEO of ClearScore said, “This proves yet again that all businesses face the risk of being hacked. What stands out in this case is that only now people are finding out that criminals may have been using their personal data for the past six months. Consumers need to be proactive in checking for suspicious or unexpected activity – for example, if credit has been taken out in their name. JD Wetherspoon customers should check their credit reports to monitor for any unusual activity and report anything untoward to Action Fraud.”