One of the UK's biggest pub chains has reported a massive breach of its customer database which saw names, dates of birth, email addresses and phone numbers of 656,723 Britons breached.
The incident happened in June but Wetherspoons officials were only told about the hack by security experts earlier this week. The cyber criminals also stole unencrypted credit card and debit card data from 100 pub-goers who bought vouchers from the JD Wetherspoon site.
The pub chain assured customers in a statement that 'only the last four digits of the card numbers were obtained, since the remaining digits were not stored in the database. Other information, such as customer name or expiry date, was not compromised. As a result, these card details cannot be used for fraudulent purposes.'
> See also: Unencrypted data of 4 million TalkTalk customers left exposed in 'significant and sustained' attack
But security expert Simon Keates from Thales e-Security warned that although it is reported that 'very limited' credit and debit card information was accessed in the Wetherspoons breach, it is of no less significant concern that personal details including names and email addresses may have been stolen.
'In fact,' said Keates, 'theft of card details is relatively easy to ‘deal with’ – they can be blocked and replaced. It’s the other – seemingly innocuous – information that can post a bigger problem. Details such as your mother’s maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive information.'
'Armed with this information, hackers can continue to commit behavioural attacks well beyond the initial breach. In today’s data-flooded world, security is increasingly becoming a big data problem – accessing personal details is just one more step in building a large database to mine information.'
As a result, businesses need to change the way they think about data protection, added Keats.
'They need to extend their encryption policies to cover all personally identifiable information, so it is ‘detoxified’ should it fall into the wrong hands. Without this, there’s a real danger that attackers will know much more about you than your favourite beer.'
So why did this breach occur?
Mark James, Security Specialist at IT security firm ESET pointed out that all too often these days, website security is not up to the standards required to combat the expertise that modern day cyber criminals possess. John Hutson the CEO of JD Wetherspoons has stated that the breach affected the chain's 'old website' which has since been replaced in its entirety.
> See also: Almost ALL websites have serious security vulnerabilities, study shows
'There’s a high possibility that little or poor security was involved in the original creation of the site and that in itself led to the site being rewritten,' said James. 'If this was the case it would be quite easy to gain access to that data and retrieve all the information and leave without anyone ever noticing.'
'What is a concern here is the fact that Wetherspoons did not even know they had been compromised and although the attack happened in June, were only informed recently by security experts.'
'Organisations need to review their website security, ensuring all patches are applied to software and hardware where required,' added James.
'Regular data monitoring needs to be in place to spot attacks before they manage to be successful and internet security software should be in place and updating regularly. Also, make sure you’re running an up-to-date secure operating system and do not be afraid to seek help.'