The JD Wetherspoon pub chain is the latest UK firm to warn customers of a data breach after being alerted by security specialists.
Hackers broke into a database in June 2015 containing the details of nearly 657,000 customers, the company said in a statement.
News of the data breach comes just weeks after mobile operator TalkTalk suffered a cyber attack that exposed the details of nearly 157,000 customers, once again underlining the importance of keeping customer data safe.
“Every business that collects personal data from its customers has a responsibility to ensure cyber protection measures are in place. These should provide a level of security that takes into account best practice and the state of the art security technologies available to them, proportionate to the costs of implementing those technologies and the risks inherent in the nature of data being processed,” said Luke Scanlon, technology lawyer at Pinsent Masons.
“Currently in the UK, businesses – with the exception of some telcos – are under no obligation to report a breach, but this is due to change under the incoming General Data Protection Regulation, meaning companies could face significant fines in addition to reputational damage and other legal consequences if they choose to not to report a breach.
“Each time a breach of this nature occurs, it is a wake-up call for businesses – the threat is a very real and constant one and could have damaging consequences for a business if the appropriate security isn’t in place,” he said.
Information would have been put on the JD Wetherspoon database when customers signed up to receive Wetherspoon’s newsletter, registered with The Cloud to use Wi-Fi in their pubs, submitted a contact us form on the website or bought vouchers online before August 2014.
The database was related to an old version of its website that has been replaced, but contained customer names, dates of birth, email addresses and phone numbers.
“Our current website is managed by a new digital partner. The partner has no connection to the website that was the subject of the breach of security,” said the company.
Credit and debit card details stolen
JD Wetherspoon also said some credit and debit card details were stolen, but this affected “a tiny number of customers  who purchased Wetherspoon vouchers online” and involved only the last four digits of the card numbers.
“These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.”
However, the company has urged customers to be on the look out for any unexpected emails that ask for personal or financial information, contain links or request them download files.
Although the breach is believed to have taken place five months ago, the company said there are no indications that the stolen data has been used for fraudulent activity.
The company said the Information Commissioners Office (ICO) had been notified of the breach and a forensic investigation into the breach was underway.
Third-party company blamed for delay
JD Wetherspoon blamed the delay in discovering the breach on the fact that the data was held by a third-party company that formerly hosted the company website.
“Unfortunately, the breach occurred without their knowledge and remained undetected until now,” said the company.
The breach was discovered by cyber intelligence group CyberInt, which collects and analyses data from various online sources, according to the Financial Times.
The company linked the JD Wetherspoon’s security breach to a Russia-based hacker group known on the dark web.
“The startling element of this latest breach is that it occurred in June and has taken since then to discover. As with the attack on Paddy Power, which was first reported in July 2014 after a four-year breach, customers’ details were at risk long before they knew anything about it – making it impossible for them to take the necessary actions to stop cyber criminals taking money from their account,” said Matthew Aldridge, systems architect at cyber security firm Webroot.
“Members of the public who fear their personal details might have been stolen should contact their bank to ensure there have been no suspicious transactions and take steps to change email addresses and passwords, where possible,” he said.
Aldridge said it is also up to JD Wetherspoon to investigate the breach thoroughly so all affected customers are informed and the vulnerability in the system is fixed.
“Whether a full set of customer data has been stolen by the hackers or not, it still puts their customer data at risk and will reduce their level of trust towards such a large chain of pubs,” he said.
Read more about data breaches
- Hackers may have accessed the payment card details of up to 3,500 customers, warns finance publisher Dow Jones.
- The HIV clinic data breach comes after repeated warnings in recent years by the ICO about the risk of disclosing personal data through poor email practices.
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches.
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all.