Industry News

656,723 reasons to regret going to Wetherspoon’s

JD Wetherspoon is a highly popular British chain of pubs, famous for its cheap booze, Thursday curry club and lack of pretension.

It’s far from everyone’s cup of tea, of course, and now over 650,000 people who gave the firm their names, email addresses, dates of birth and phone numbers have a good reason to regret their drinking spot.

Because the company has just announced that hackers have accessed a copy of its customer database, having accessed an old version of its website that was poorly secured.

In short, JD Wetherspoon used a third-party company to run its website. The website has since been revamped, and is now run by a new company on Wetherspoon’s behalf but the previous web host appears to have kept the old servers online, in an insecure fashion – and it was that which was breached by hackers.

Here is how Wetherspoon’s described the hack in an email to customers:

Dear Customer

We received information on the afternoon of the 1st December that some customer data may have been stolen by a third party (often referred to as ‘hacking’). An urgent investigation by cyber security specialists was instigated. At 5.45pm on the 2nd December the security specialists informed us that the customer database related to our old website was breached (or hacked) between 15th and 17th June 2015. This website has since been replaced in its entirety. Our current website is managed by a new digital partner. The new partner has no connection to the website that was the subject of the breach of security.

In respect of the majority of customers, the database contained the following customer information: the name of the customer, the date of birth, the email address and the phone number.

Wetherspoon’s tries to hide the number of affected customers at the bottom of its FAQ – 656,723. That’s four times as many as were put at risk in the recent hack of broadband operator TalkTalk.

In addition, 100 customers (which JD Wetherspoon describes as “a tiny number”) who bought vouchers online have had the last four digits of their credit/debit cards stolen. Wetherspoon’s is keen to stress that other information (such as expiry date and customer name) weren’t taken in that part of the attack, and that those details alone cannot be used to empty your bank account – but think of how often you are asked to confirm the final digits of your card to prove your identity.

How might your details have ended up in Wetherspoon’s database?

Well, maybe you signed up for their newsletter on their website, or sent them a message via their “Contact us” form. Or maybe you registered with ‘The Cloud’, in order to use Wi-Fi at a Wetherspoon’s and agreed to receive information about the company at the same time.

Or perhaps you purchased Wetherspoons vouchers online between January 2009 and August 2014.

Finally, some personal staff details, registered before 10 November 2011, were also accessed by the hackers.

It goes without saying that the old version of the site should not have been accessible to the hackers. In fact, if JD Wetherspoon wasn’t planning to use the hosting company’s servers any longer it is a mystery as to why the provider did not wipe any information it was storing (insecurely as it happens) on its servers.

You cannot help but feel that it may not be entirely fair to solely blame JD Wetherspoon for allowing the breach to occur. Clearly the third-party company that previously hosted the Wetherspoon’s site may also have questions to answer – especially as it seems the breach occurred back in June, and only came to light some six months later.

JD Wetherspoon’s chief executive, John Hutson, apologised to customers and employees who have been impacted by the hack:

“Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”

The company says it has informed the Information Commissioner’s Office (ICO) about the data breach, and advises affected customers to be wary of unsolicited phone calls or messages – especially any that might invite recipients to click on links or request personal information.

wetherspoon-1

flickr photo shared by Ian Halsey under a Creative Commons ( BY-NC ) license

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.