JD Wetherspoon loses data of over 650,000 customers in cyberattack

The ICO are investigating, but the company seems at a bit of a loss over what happened.
Written by Charlie Osborne, Contributing Writer

The dust has barely settled on a cyberattack which took place against telecommunications firm TalkTalk, but retail giant JD Wetherspoon has now admitted to becoming yet another victim of an attack, resulting in the potential loss of data belonging to 656,723 customers.


In an email to customers sent on Thursday, the food and drink chain said the firm's website had been hacked between 15 and 17 June this year, resulting in the potential loss of customer data including names, dates of birth, email addresses and phone numbers -- as well as a small amount of credit card records.

While the company's website has since been given a complete overhaul, JD Wetherspoon says that a database compromised by the front-facing website attack contained the details of 656,723 customers, including the "limited" details of 100 credit cards belonging to customers.

If customers purchased Wetherspoon vouchers online before August 2014, they are among the unlucky few whose credit card details may be floating around underground marketplaces today.

In addition, individuals who signed up for company newsletters, purchased vouchers, registered with "The Cloud" to use Wi-Fi services in JD Wetherspoon or used the website's contact form may have also had their information stolen.

To make matters worse, the data held by the company was not encrypted. JD Wetherspoon defended this practice as "the first 12 digits and the security number on the reverse of the card were not stored on the database."

While JD Wetherspoon points out that only the four last digits of cards were stolen and so is adamant they cannot be used fraudulently on their own, any information leak of this type can be damaging -- especially if paired with other stolen data, such as names and dates of birth.

John Hutson, CEO of JD Wetherspoon, told customers:

"The breach took place some time ago. There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity, using the stolen information, has taken place, although we cannot be certain.
Once again, please accept our sincere apologies and be assured that we are doing our utmost to prevent this from happening again."

The popular pub chain has notified the Information Commissioners Office (ICO) and will cooperate with the agency's investigation into the attack, but admits that currently it is clueless as to what happened to the stolen data as the breach "took place some time ago."

JD Wetherspoon was quick to emphasize that the Data Protection Act was not breached -- an act in the UK which requires companies to take reasonable steps to protect data they hold; rather, the data loss was a simply "criminal attack."

The company was told about the breach on 1 December and quickly went public. While you can only applaud this practice, something Jonathan Sander, VP of Product Strategy at Lieberman Software agrees with. Sander told ZDNet:

"People can handle bad news but they hate surprises. Lucky for Wetherspoon, breaches aren't that surprising anymore. But people don't like it when they aren't told until it feels too late.

The announcements from Wetherspoon seem to be coming out as soon as they know anything. So that gives the impression that they are trying their best to keep the public informed. It's still bad news, but at least they are giving people the information they need to understand what's happening."

Read on: Top picks

Editorial standards