The personal details of over 650,000 JD Wetherspoons customers may have been stolen after a back-end database was hacked, according to reports.
The pub chain revealed in a letter to customers seen by the BBC that the security incident occurred between 15-17 June on its old website, which has since been replaced.
The firm apparently found out about the incident on Tuesday.
Names, dates of birth, email addresses and phone numbers were among the information exposed in the cyber attack. Around 100 additional customers had card data stolen, although only the last four digits of card numbers was stored by Wetherspoons—albeit unencrypted.
Those affected may have handed over their personal info when they signed up to receive Wetherspoon's newsletter, registered to use Wi-Fi in a pub, submitted a 'contact us' form on the website, or bought vouchers online before August 2014, the report claimed.
Chief executive, John Hutson, apparently urged customers in the letter to "remain vigilant for any emails that you are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information.”
However, apparently no passwords were taken and there’s so far been no evidence of follow-up fraud.
Piers Wilson, head of product management at Huntsman, argued that the firm should have detected the attack long before now.
“If organizations can get better at spotting unusual activity, whether in their head office or in a customer-facing website, then they can lessen the impact of attacks,” he added.
“Technologies are needed that can detect this unusual activity, spotting patterns of behavior that indicate a successful attack; for example, sudden requests for access to data that has been in longer term storage.”
Stephen Love, security architect at Insight UK, claimed firms must first undertake a “thorough assessment” to understand what their most at-risk data is, and then secure it accordingly.
“Adopting methods such as encryption will render data useless, should the worst case scenario occur, and ensure no matter what [that] the case customer information remains secure,” he said.
“Only the organizations that take heed and act will be able to minimize the reputational and financial risks we now all face on a daily basis."
Matthew Aldridge, solutions architect at Webroot, urged customers to contact their banks to ensure there’s been no suspicious account activity.
“It is now also down to JD Wetherspoon to thoroughly investigate the breach so all affected customers are informed and the vulnerability within the system is fixed,” he argued.
“Whether a full set of customer data has been stolen by the hackers or not, it still puts their customer data at risk and will reduce their level of trust towards such a large chain of pubs.”
Photo © Arena Photo UK/Shutterstock.com