Pub chain JD Wetherspoon has confessed to a data breach in which a third party managed to snag the personal data of 650,000 customers, together with some financial data, through a hack on its old website.
Some of the pub chain's staffers' personal info was also accessed.
A database containing personally identifiable information was accessed, potentially compromising the names, email addresses, dates of birth, and phone numbers of 656,723 customers.
An email to customers stated "very limited credit/debit card information" was stolen from "a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014", however 'Spoons was unable to confirm to customers whether they had specifically been affected.
The data was not encrypted, said the firm, "because the first 12 digits and the security number on the reverse of the card were not stored on the database."
The Information Commissioner's Office has been informed of the breach, stated the company, which further explained how it collects customer information:
Despite being discovered on 1 December, 'Spoons noted "the breach took place some time ago" - between 15 and 17 June this year.
"There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity has taken place," the company said, adding, "although we cannot be certain."
In a letter to investors, JD Wetherspoon claimed the information had been obtained from its old website, which has now been replaced in its entirety.
Luke Scanlon, a technology lawyer at Pinsent Masons, said: "Every business which collects personal data from its customers has a responsibility to ensure that cyber protection measures are in place that provide a level of security which takes into account "best practice" and the "state of the art" security technologies available to them, proportionate to the costs of implementing those technologies and the risks inherent in the nature of data being processed."
"Currently in the UK, businesses (with the exception of some telcos) are under no obligation to report a breach but this is due to change under the incoming General Data Protection Regulation, meaning that companies could face significant fines in addition to reputational damage and other legal consequences if they choose to not to report a breach," said Scanlon. "Each time a breach of this nature occurs, it is a wake-up call for businesses – the threat is a very real and constant one which could have damaging consequences for a business if the appropriate security isn’t in place."
JD Wetherspoon CEO John Hutson said: "We apologise wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."
Rest assured, The Register has enquired as to how this theft was possible through an attack on the website. The company has told us that no further information will be provided before their investigation is complete.
If you can shed any light on the situation, drop us an email. ®