Updated: JD Wetherspoon hacked last summer, notices now

JD Wetherspoon, one of the largest pub chains in Britain was hacked last summer in June, and the company noticed only now.

The hack resulted in hundreds of thousands of stolen user account details. Financial information, albeit stolen, can’t be used, the company said, as only last four digits of the card are visible. It was reported that 100 customers who bought Wetherspoon vouchers online have had their credit and debit card information stolen.

However, what can be used for various phishing attempts and possible identity theft is the name, phone number, date of birth and email address of the customer.

According to a report by UK’s Business Insider, a total of 656,723 user accounts were stolen from the company’s old website. Wetherspoon says in an email sent to customers on Thursday it "cannot confirm" who exactly has been affected yet.

Your information could be in the breach if you've done the following:

  • sign up to receive the company newsletter, usually via the company website;
  • register with ‘The Cloud’ in order to use WIFI in its pubs and opt to receive company information;
  • purchased Wetherspoon vouchers online between January 2009 and August 2014;
  • submit a ‘Contact Us’ form.

Wetherspoon CEO John Hutson says in the email to customers sent Thursday: "Remain vigilant for any emails that you are not expecting, that specifically ask you for personal or financial information, or request you to click on links or download information."

Industry reaction

Richard Brown, Director EMEA Channels & Alliances at Arbor Networks:

“This is just the latest attack in what is a long line of breaches against large well-known organisations storing huge volumes of at-risk customer data. The fact that over 500,000 customer details were stolen and the threat remained undetected until now highlights the huge problem organisations are now facing. Hackers hiding in networks and using more advance techniques to stay invisible is an increasing trend. Businesses need to realise that hackers continue to evolve and are one of the biggest threats to their reputation, profitability and customer base.

“To improve their chances of detecting a breach earlier rather than later, organisations need to move beyond an incident response plan and instead look at ‘hunting’ for vulnerabilities using threat intelligence. This will allow security teams to detect unusual network activities and trends as soon they happen, and also enable them to deal with any issues immediately.”

Gavin Millard, Technical Director (EMEA) at Tenable Network Security:

"Whilst the loss of 100 credit card details will be a concern of those affected, more cards will be misplaced this weekend through over indulgence of beer than the breach. What is of concern though is the loss of 650,000 customer details and the time between the data being exfiltrated to when the issues were discovered. Organisations who collect data from customers on their website should ensure that the code deployed is designed with security in mind, auditing continuously for easily exploitable flaw and indicators of misuse.

"Hopefully the company understands the importance of communicating clearly and accurately about how customers could be affected by such a breach and their spokespeople will be briefed by security experts before commenting about the technical details of the protections in place or attack methodology."

Paul McEvatt, Senior Cyber Threat Intelligence Manager, UK & Ireland at Fujitsu:

“Another day, another data breach – this time JD Wetherspoon is in the spotlight with the focus on the hospitality sector. This breach coupled with other recent breaches against large hotel chains such as Starwood and Hiltons suggest this is a focus area for criminals at the moment. The fact that 656,723 customer details were stolen in June and remained undetected until now highlights this is a continued issue.

"The amount of data and confidential information that is transacted every day, coupled with the growth in reliance on digital services, means that every organisation in any industry is at risk and a target for cyber criminals. Organisations need to consider the stark reality that a data breach will happen and ensure they have defence in depth controls but also are ready for when an incident will occur.

“With consumers battling to understand the on their personal information if a company is hacked, there is no room for error. According to research from Fujitsu, only 9% of consumers believe British organisations are doing enough to protect their data. So organisations need to ensure that they do more as cyber criminals continue to evolve, by remaining ahead of their competitors and robust in their security.”