Customers' Personal Data Stolen in JD Wetherspoon Hack | Tripwire

Customers' Personal Data Stolen in JD Wetherspoon Hack

Posted on December 4, 2015
FTC Says Identity Theft Victims Don't Always Need a Police Report
Approximately 657,000 customers have had their personal information compromised in a hack against UK pub chain JD Wetherspoon. According to The Guardian, the names, dates of birth, email addresses, and mobile phone numbers of 656,723 customers were affected by the incident, which is believed to have occurred between June 15 and June 17 of this year on the company's old website. JD Wetherspoon has since replaced its site.
"We have taken all necessary measures to make our website secure again following this attack," explained John Hutson, chief executive of the pub chain, as reported by the BBC. "A forensic investigation into the breach is continuing."
All of the information compromised by the hack was stored on a database held by a third party company, which explains why the hack went undetected until December 1st. Security officials confirmed the attack the next day, and the company began notifying customers on December 3rd.
security112.jpg
Personal data would have been inputted into this database if customers signed up to receive the company's newsletter, registered to use Wi-Fi in the pubs, submitted a "contact us" form via the website, or bought vouchers online prior to August 2014. Regarding this lattermost activity, it is believed that certain payment card details of approximately 100 customers who bought vouchers between January 2009 and August 2014 were exposed by the hack. This stolen information is thought to contain only the cards' last four digits, as the remaining 12 digits and the expiration date were not stored on the database. Hutson stated that neither the security teams investigating the breach nor any of the 100 customers have reported fraudulent activity with regards to the affected payment cards, though he did admit "we cannot be certain". He added:
"Hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."
With the investigation ongoing, affected customers are urged to look out for phishing emails that seek to obtain their personal or financial information. JD Wetherspoon joins the ranks of TalkTalk, Vodafone, and other UK companies that have recently been hacked.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!