Another Day, Another Hack: Data of Over 656,000 Wetherspoon Pub Customers
Hackers may have gotten away with names, emails, dates of birth, and phone numbers of hundreds and thousands of customers.
Image: Che Saitta-Zelterman
Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
That's why we launched this new format: Another Day, Another Hack. We'll do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, and as new data breaches fight for your attention, real people are still getting fucked over somewhere, and should know about it.
A website for JD Wetherspoon, the highly popular UK pub chain, has been breached. Hackers got away with the names, dates of birth, email addresses, and phone numbers of potentially 656,723 customers, as well as some partial debit and credit card details, Wetherspoon confirmed.
According to a statement from the pub chain, some unspecified staff data registered before 10 November 2011 was also stolen, "but no salary, bank, tax or national insurance information was accessed."
Wetherspoon writes that the stolen card data only affects 100 customers, and includes the last four digits of the card numbers.
"We received information on the afternoon of the 1st December that some customer data may have been stolen by a third party," reads an email the company sent to a potential victim, who posted it to Twitter. "An urgent investigation by cyber security specialists was instigated."
Wired UK reports that security company CyberInt discovered the breach and linked the hack to a Russian group. It added that others affected by the hack could include those who registered for free WiFi in a Wetherspoon pub, opted to receive a company newsletter, or reached out to Wetherspoon through the organisation's contact form. The Wetherspoon spokesperson added that the 100 people whose partial payment data was included in the breach had purchased vouchers online between January 2009 and August 2014.
The breach was related to Wetherspoon's old website, which was targeted between 15 and 17 June earlier this year, the company's statement explains.
"This website has since been replaced in its entirety," the customer email states. "Our current website is managed by a new digital partner. The new partner has no connection to the website that was the subject of the breach of security."
The lesson: JD Wetherspoon was keen to point out that this problem affected an "old" website. With that in mind, the company should ensure that its current site is not vulnerable to some of the most common attack vectors hackers use, such as SQL injection, so that this sort of breach doesn't happen again.
Another day, another hack.