Staggering data breach at JD Wetherspoon
In June, the personal details of 656,723 customers of pub chain JD Wetherspoon were stolen. Details such as names, dates of birth, email addresses and telephone numbers had been stored on an old website which got breached.
To put this latest data breach in a better perspective, the TalkTalk hack affected 156,959 customers, or almost a quarter of this one.
The Financial Times states that the data is already on sale on the dark web.
What is surprising is that Wetherspoon only got to know about the breach on the 1st of December, giving the attackers a 6-month head start!
In a statement, Wetherspoon said that:
“For a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014, very limited credit/debit card information was stolen. Only the last 4 digits of the cards were obtained, since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date were not compromised. As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes.”
While we agree with Wetherspoon that the threat is limited in scope, it is still very real. Social engineering attacks such as spear phishing can be carried out easily with people’s personal information. Customers who have had their data stolen can also be victims of identity theft or even worse, have their accounts taken over by a smooth talking hacker.
And for those who had their card information stolen as well, history has shown us that even the last 4 digits of a card can be used to gain access to your Amazon and Apple accounts.
Companies need to be constantly vigilant for such types of attacks and ensure they have a constantly updated security system in place along with an actionable disaster recovery plan.