National pub operator JD Wetherspoon is taking action after discovering that some customer and staff information has been accessed illegally by a third party.
The information was obtained from its old website, which has been replaced in its entirety. The company’s current website is managed by a new digital partner, which has no connection to the website that was the subject of the breach of security.
Wetherspoon has alerted customers to the situation by email and has also instructed a leading cyber security specialist to conduct a full forensic investigation into the breach.
No financial data involved
As regards almost all customers, no financial data was involved in the hacking and no passwords were obtained for any customers.
For a tiny minority of 100 customers, who purchased Wetherspoon vouchers online before August 2014, extremely limited credit/debit card details were accessed.
Only the last four digits of the card numbers were obtained, since the remaining digits were not stored in the database.
Other information, such as the customer name and the expiry date were not compromised. As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes.
Some personal staff details, registered before 10th November 2011, were stolen, but no salary, bank, tax or national insurance information was accessed.
The Information Commissioner’s Office (ICO), which regulates data protection, has been notified of the breach.
Wetherspoon chief executive John Hutson said:
“We apologise wholeheartedly to customers and staff who have been affected.
“Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”
Attached below is the letter sent to customers informing them of the security breach and a copy of the FAQs (frequently asked questions).
CUSTOMER EMAIL
Subject heading: Important notice from the CEO of JD Wetherspoon re data breach
3rd December 2015
Dear Customer
We received information on the afternoon of the 1st December that some customer data may have been stolen by a third party (often referred to as ‘hacking’). An urgent investigation by cyber security specialists was instigated. At 5.45pm on the 2nd December the security specialists informed us that the customer database related to our old website was breached (or hacked) between 15th and 17th June 2015. This website has since been replaced in its entirety. Our current website is managed by a new digital partner. The new partner has no connection to the website that was the subject of the breach of security.
In respect of the majority of customers, the database contained the following customer information: the name of the customer, the date of birth, the email address and the phone number.
For a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014, very limited credit/debit card information was stolen. Only the last 4 digits of the cards were obtained, since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date were not compromised. As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes.
The database did not hold any passwords.
We cannot confirm whether any of your personal data was included in this breach. However, I wanted to make you aware immediately and apologise on behalf of the company.
We have taken all necessary measures to secure our website, following this attack. A forensic investigation into the breach is continuing.
The Information Commissioner’s Office (ICO), which regulates data protection, has been notified of the breach.
The ICO recommends that we give you advice on what steps you can take following a data breach.
In this instance, we recommend that you remain vigilant for any emails that you are not expecting, that specifically ask you for personal or financial information, or request you to click on links or download information.
We also recommend that if you are contacted by anyone asking you for personal data or passwords, such as for your bank account details, you should take all steps to check the true identity of the organisation.
If you have further questions, please visit the FAQ (frequently asked questions) section of our website. You can access this by visiting www.jdwetherspoon.com. The information will be displayed on the FAQ section of the ‘Contact Us’ page. It is also attached to this email.
The breach took place some time ago. There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity, using the stolen information, has taken place, although we cannot be certain.
Once again, please accept our sincere apologies and be assured that we are doing our utmost to prevent this from happening again.
Yours sincerely,
John Hutson, CEO
FREQUENTLY ASKED QUESTIONS REGARDING CUSTOMER DATA BREACH
TO BE READ IN CONJUNCTION WITH THE EMAIL TO AFFECTED CUSTOMERS, DATED 3RD DECEMBER 2015.
What data was accessed?
For the majority of customers, the database that was illegally breached (or ‘hacked’) contained the following personal information: first name, surname, date of birth, email address and mobile phone number. Not all customers had provided all this information; for many it was just the first name, surname and email address.
For a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014, very limited credit/debit card information was stolen. Only the last 4 digits of the cards were obtained, since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date were not compromised. As a result, these credit/debit card details cannot be used for fraudulent purposes.
When did this happen/how long has my data been exposed?
The data breach occurred between the 15th and 17th June 2015.
Why has it taken you so long to notify customers of this breach?
The data that was accessed was held by a third party company that previously hosted our company website.
Unfortunately, the breach occurred without their knowledge and remained undetected until now.
On the afternoon of 1st December we received credible information that a data breach may have occurred. We immediately instructed cyber security specialists to conduct an urgent investigation.
At 5.45pm on 2nd December the security specialists confirmed that the customer database related to our former website was breached (or hacked) between 15th and 17th June. A process was put in place immediately to notify all customers that may have been affected. The notification took place on 3rd December.
How did you have my information?
Customers provide us with their information in several ways:
- they sign up to receive the company newsletter, usually via the company website.
- they register with ‘The Cloud’ in order to use WIFI in our pubs and opt to receive company information.
- they purchased Wetherspoon vouchers online between January 2009 and August 2014.
- Or, they submit a ‘Contact Us’ form.
Why is this information held by a third party and not by the company?
In common with many companies we engaged a third party, which specialises in this type of work, to host the company website and to hold information on our behalf.
Was the credit/debit card data encrypted?
The data was not encrypted because the first 12 digits and the security number on the reverse of the card were not stored on the database.
What will happen to the personal data that has been breached? What will the hackers do with it?
We cannot say for sure.
The breach took place some time ago. There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity has taken place, although we cannot be certain.
If we become aware of any further information we will inform you straight away by sending an email.
What have we done to secure the data that we do hold?
We take any threat to the security of our customers’ data very seriously.
We regularly review and update our systems to maximise security and we are reviewing this breach with the help of expert advice to understand this incident and prevent a recurrence.
This type of illegal activity is clearly becoming more sophisticated and cyber attacks against companies are increasing.
We shall be as vigilant as possible in this area.
Is there anything I can do to protect myself?
As indicated in the email of 3rd December (see above), you should remain vigilant for any emails that you are not expecting, that ask you for personal or financial information or request you to click on links or download information.
We recommend that if you are contacted by anyone asking you for personal data or passwords (such as for your bank account details), please take all steps to check the true identity of the organisation.
It is also recommended that you do not use the same password across a number of systems or websites, whether at work or at home.
Why were you targeted?
There does not appear to be a specific reason why the company was targeted.
How many customers have been affected?
The database contained details of 656,723 customers.
As regards credit/debit card transactions, very limited details of 100 cards were obtained, as outlined.
Has JD Wetherspoon breached the Data Protection Act?
No. This is a criminal attack. We consider that we have taken appropriate technical and organisational measures as required by the Act to protect your data.
We have notified the Information Commissioners Office (ICO) and will offer them our full cooperation.
For more information about the ICO click here