Wetherspoon Pub Chain Data Breach Warning

Hot on the heels of the latest TalkTalk security breach comes news that well known pub chain JD Wetherspoon fell victim to hackers in June. In this attack,   a large customer database is reported to have been accessed by the hackers. The database included a small number of incomplete customer credit / debit card details. The finger of suspicion for the attack is currently pointing at a Russia-based hacker group.

The Scale and Type of Data

The database that hackers broke into is reported to have contained the details of 657,000 customers, the details the company’s 15,000 staff, and the last four digits of the credit / debit cards of around 100 customers who had purchased Wetherspoon vouchers online. The database is reported to have contained personal data such as email addresses, phone numbers and dates of birth.

A Delay in Detection

One of the most worrying aspects of this security breach is that although it happened in June it has only just been discovered. The relatively long delay in cyber crime between the crime actually taking place and it being detected appears to be more common in recent times. In July 2014 for example an attack on Paddy Power was reported after a 4 year long breach is thought to have taken place.

How Did The Breach Happen?

The Wetherspoon’s database targeted by the criminals was populated with data given by customers when they signed up to receive the Wetherspoon’s newsletter, registered with The Cloud to use Wi-Fi in their pubs, submitted a contact us form on the website, and / or bought vouchers online prior to August 2014.

The compromised database is reported to have been related to an old version of the JD Wetherspoon website that was held by the third party company who formerly hosted it. The third party company themselves were unaware that the security breach had taken place.

Who Detected the Breach?

The security breach was finally detected by the CyberOPS Team of a cyber intelligence group called CyberInt while in the course of investigating another case. According to the CyberInt blog “It came up in our Argos Cyber Threat Intelligence Platform via one of its sources, a cyber-crime forum on the Dark Web”. CyberInt also reported that the stolen information is for sale to the highest bidder on a forum run by Russian hacker ‘w0rm’. The motivation for the attack is thought to be money and JD Wetherspoon is thought to be one of many ‘Big Names’ targeted by the same hacker group.

Issues

The most obvious issue in this case is that stolen personal details could be used by the hackers themselves or by the purchasers of the stolen data to commit more crime such as theft (money & identity) and fraud. Another issue involved here is the potential damage to the reputation and brand of the affected companies, and the loss of trust among customers and potential customers. One last important issue from the customer’s perspective here is that if, as in this case, there is a long delay between the crime and its detection, it doesn’t allow any time for customers affected to take any precautionary steps to prevent the criminals from taking money from their bank accounts.

What Has Happened So Far?

JD Wetherspoon are reported to have said that that there are no indications that the stolen data has been used for fraudulent activity, and the Information Commissioners Office (ICO) had been notified of the breach. A forensic investigation into the breach is now underway.

What Steps Can A Business Take to Avoid This?

Although UK businesses (excluding telcos) can currently choose not to report a breach, the incoming Data Protection Regulation will mean that companies could face large fines, greater reputational damage, and other legal consequences if they choose to not to report one.

There is an obvious need for companies to make sure that their security practices and systems are up to date, robust, and that they conform to best practice. The advice from CyberInt who discovered the JD Wetherspoon breach is that as well as reinforcing traditional cyber defences, companies should now be more proactive.

CyberInt say that this can be best done by “collecting targeted cyber intelligence from thousands of sources including the dark web, the deep web, social networks and other sources, and by continuously assessing the organisation’s resilience to these attacks.”