Wetherspoon pub chain reveals massive data leak


JD Wetherspoon, one of the biggest pubcos in the UK, has suffered a huge data theft incident, with hackers making off with the details of over 600,000 customers, including the details of around 100 credit and debit cards.

The company revealed today that its old website, was hacked in June and an associated database, containing the details of 656,723 customers and an unknown number of employees, was stolen.

The customer details were, in the majority of cases, limited to names, phone numbers, dates of birth, and email addresses, but 100 of those affected had "extremely limited credit/debit card details ... accessed".

"Only the last four digits of the card numbers were obtained since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date was not compromised," the company said in a statement.

"As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes."

However, Simon Keates, a consultant in mobile security at Thales e-Security, said the theft of the other personal details "is of no less significant concern".

"In fact, theft of card details is relatively easy to 'deal with' - they can be blocked and replaced," he said. "It's the other - seemingly innocuous - information that can pose a bigger problem.

"Details such as you mother's maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive this information."

Mark James of IT security firm ESET added: "John Hutson, the CEO of JD Wetherspoon, has stated that the breach affected the chain's 'old website', which has since been replaced in its entirety.

"There is a high possibility that little or poor security was involved in the original creation of the [old] site and that in itself led to the site being rewritten. If this was the case, it would be easy to gain access to that data and retrieve all the information and leave without anyone ever noticing."

James and several other security experts have also raised concerns over the fact it took six months for the company to become aware of the breach.

In a statement, the Information Commissioner's Office (ICO) told IT Pro: "We are aware of an incident at JD Wetherspoon and are making enquiries."

JD Wetherspoon hack: what to do if you have been a victim

JD Wetherspoon told customers in an email that it "cannot confirm" yet exactly who has been affected. However, you may be at risk if you have done any of the following:

  • Used the 'Contact Us' form
  • Signed up to receive the JD Wetherspoon newsletter
  • Registered to use 'The Cloud' WiFi in its pubs and opted into receiving company information (e.g. marketing materials
  • Bought Wetherspoon vouchers online anytime between January 2009 and August 2014
  • Began working at JD Wetherspoon before 10 November 2011

Users should be on the lookout for phishing emails, unsolicited phone calls, as well as any unusual bank activity or other indicators of fraud. They should also consider changing their passwords, particularly if they are in the habit of re-using the same ones repeatedly.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.