Wetherspoon hack exposes over 600,000 customers

Cheap drinks, cheap security?

Another week, another hack. JD Wetherspoon, the owner of countless cheap British pubs, has revealed that an older version of its website was hacked between June 15th and 17th, putting over 600,000 customers at risk. The company says it was informed of the attack on December 1st and immediately called in security specialists, who confirmed the breach a day later. All customers were then notified via email on December 3rd.

Specifically, attackers gained access to a database containing the details of 656,723 customers. The "majority" of these had their first name, surname, date of birth, email address and mobile phone number stored on the system. Wetherspoon says 100 customers who bought vouchers online before August 2014 also had "very limited" credit and debit card details stolen. Attackers could have obtained the last four digits of these cards -- the rest weren't stored on the database -- and the company believes these can't be used for fraudulent purposes. It's also emphasising that some customers had less information stored on the system -- some only submitted their first name, surname and email address, for instance.

So who is affected? Well, Wetherspoon says its customers provide information "in several ways," but the most common are; signing up for the company newsletter, normally through its website; registering for free WiFi (The Cloud) in one of its pubs and agreeing to receive company information; submitting a Contact Us form online; buying the aforementioned vouchers online between January 2009 and August 2014.

Wetherspoon is keen to emphasise that the attack took place on an older website. It was run by another company -- the identity of which is still unknown -- and since then, the pub chain has switched to a new website managed by a different partner. Six months is a long time, but Wetherspoon says it's seen no evidence of fraudulent activity, or any reports that the stolen information has been used by the attackers. The company admits, however, that it "cannot be certain" at this time.

John Hutson, CEO of Wetherspoon said:

"Hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."

Wetherspoon joins TalkTalk, Vodafone and VTech in a string of hacks affecting companies both in the UK and abroad. TalkTalk has gained the most exposure in Britain, prompting an inquiry by the UK's Culture, Media and Sport Committee. It will look not only at TalkTalk, but the security practices being used generally by the telecoms and internet service provider (ISP) industry. The problem is that most businesses now have an online component with some degree of customer data -- cybersecurity is an issue for everyone, not just banks and other corporate monoliths.

[Image Credit: Matthew Lloyd/Bloomberg via Getty Images]