Details of 650,000 JD Wetherspoon customers potentially stolen by hackers

Incident will 'reduce level of trust' in the pub chain, warns cyber security expert

Hackers may have stolen personal details of over 650,000 people following a data breach at the JD Wetherspoon pub chain.

The data breach comes shortly after ISP TalkTalk was hacked, with 150,000 customers having their details accessed by hackers.

According to a notice sent to Wetherspoon's customers by CEO John Hutson, 100 customers who bought Wetherspoon vouchers between January 2009 and August 2014 have had "very limited" credit and debit card information stolen.

The pub chain is adamant that the information can't be used to commit fraud because only the last four digits of payment information were stored. The pub chain is also adamant that the database didn't hold any customer passwords.

Nonetheless, other personal details including customer names, dates of birth, email addresses and phone numbers may have been stolen from the Wetherspoon customer database of 656,723 people.

"We received information on the afternoon of the 1st December that some customer data may have been stolen by a third party," read the statement from Hutson, who said "an urgent investigation by cyber security specialists" was instigated immediately.

A day later, the investigation discovered that the JD Wetherspoon website was hacked between 15 and 17 June, although since then, the website has been "replaced in its entirety".

JD Wetherspoon says it's currently unable to confirm if data of individual customers was stolen as a result of the breach, but the company opted to go public with the data breach to "immediately" make customers aware of what has happened and to apologise to them.

"We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing," said Hutson, who added that the Information Commissioner's Office has been informed about the incident.

JD Wetherspoon customers have been advised to be on alert in light of the data breach, so as to not fall victim to cyber criminals or scammers.

"In this instance, we recommend that you remain vigilant for any emails that you are not expecting, that specifically ask you for personal or financial information, or request you to click on links or download information," said the company statement.

"We also recommend that if you are contacted by anyone asking you for personal data or passwords, such as for your bank account details, you should take all steps to check the true identity of the organisation," it added.

Despite the pub chain's quick reaction, Matthew Aldridge, solutions architect at cyber-security firm Webroot, argued that the company will still suffer reputational damage as a result of the breach.

"Whether a full set of customer data has been stolen by the hackers or not, it still puts their customer data at risk and will reduce the level of trust towards such a large chain of pubs," he said.

Luke Scanlon, technology lawyer at Pinsent Masons, said that the JD Wetherspoon data breach serves as yet another reminder to businesses that they need to ensure customer information is stored securely.

"Every business that collects personal data from its customers has a responsibility to ensure that cyber protection measures are in place that provide a level of security which takes into account best practice and the state-of-the-art security technologies available to them, proportionate to the costs of implementing those technologies and the risks inherent in the nature of data being processed," he said.

"Each time a breach of this nature occurs, it is a wake-up call for businesses - the threat is a very real and constant one which could have damaging consequences for a business if the appropriate security isn't in place," Scanlon added.

Speaking at Computing's recent Enterprise Security Summit, a panel of experts offered advice on how to deal with the impact of a data breach.