JD Wetherspoon is a highly popular British chain of pubs, famous for its cheap booze, Thursday curry club and lack of pretension.
It’s far from everyone’s cup of tea, of course, and now over 650,000 people who gave the firm their names, email addresses, dates of birth and phone numbers have a good reason to regret their drinking spot.
Because the company has just announced that hackers have accessed a copy of its customer database, having accessed an old version of its website that was poorly secured.
In short, JD Wetherspoon used a third-party company to run its website. The website has since been revamped, and is now run by a new company on Wetherspoon’s behalf but the previous web host appears to have kept the old servers online, in an insecure fashion – and it was that which was breached by hackers.
Here is how Wetherspoon’s described the hack in an email to customers:
We received information on the afternoon of the 1st December that some customer data may have been stolen by a third party (often referred to as ‘hacking’). An urgent investigation by cyber security specialists was instigated. At 5.45pm on the 2nd December the security specialists informed us that the customer database related to our old website was breached (or hacked) between 15th and 17th June 2015. This website has since been replaced in its entirety. Our current website is managed by a new digital partner. The new partner has no connection to the website that was the subject of the breach of security.
In respect of the majority of customers, the database contained the following customer information: the name of the customer, the date of birth, the email address and the phone number.
Wetherspoon’s tries to hide the number of affected customers at the bottom of its FAQ – 656,723. That’s four times as many as were put at risk in the recent hack of broadband operator TalkTalk.
In addition, 100 customers (which JD Wetherspoon describes as “a tiny number”) who bought vouchers online have had the last four digits of their credit/debit cards stolen. Wetherspoon’s is keen to stress that other information (such as expiry date and customer name) weren’t taken in that part of the attack, and that those details alone cannot be used to empty your bank account – but think of how often you are asked to confirm the final digits of your card to prove your identity.
How might your details have ended up in Wetherspoon’s database?
Well, maybe you signed up for their newsletter on their website, or sent them a message via their “Contact us” form. Or maybe you registered with ‘The Cloud’, in order to use Wi-Fi at a Wetherspoon’s and agreed to receive information about the company at the same time.
Or perhaps you purchased Wetherspoons vouchers online between January 2009 and August 2014.
Finally, some personal staff details, registered before 10 November 2011, were also accessed by the hackers.
It goes without saying that the old version of the site should not have been accessible to the hackers. In fact, if JD Wetherspoon wasn’t planning to use the hosting company’s servers any longer it is a mystery as to why the provider did not wipe any information it was storing (insecurely as it happens) on its servers.
You cannot help but feel that it may not be entirely fair to solely blame JD Wetherspoon for allowing the breach to occur. Clearly the third-party company that previously hosted the Wetherspoon’s site may also have questions to answer – especially as it seems the breach occurred back in June, and only came to light some six months later.
JD Wetherspoon’s chief executive, John Hutson, apologised to customers and employees who have been impacted by the hack:
“Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”
The company says it has informed the Information Commissioner’s Office (ICO) about the data breach, and advises affected customers to be wary of unsolicited phone calls or messages – especially any that might invite recipients to click on links or request personal information.