Pub operator JD Wetherspoon has launched an investigation after some customer and staff information was accessed illegally by a third party
Wetherspoon said it was taking action after making the discovery that information was obtained from its old website, which has been replaced.
No financial data was involved in the hacking and no passwords were obtained for any customers. But 100 customers, who purchased Wetherspoon vouchers online before August 2014, limited credit/debit card details were accessed, Wetherspoon said.
Only the last four digits of the card numbers were obtained, since the remaining digits were not stored in the database. Other information such as the customer name and the expiry date were not compromised. As a result, the credit/debit card details cannot, on their own, be used for fraudulent purposes.
Some personal staff details, registered before November 2011, were stolen, but no salary, bank, tax or national insurance information was accessed.
The pub group said it has alerted customers to the situation by email and has also instructed a cyber security specialist to conduct a full investigation into the breach.
John Hutson, chief executive of JD Wetherspoon, said: “We apologise wholeheartedly to customers and staff who have been affected.
“Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”
The Information Commissioner’s Office (ICO), which regulates data protection, has been notified of the breach.
Wetherspoon says its current website is managed by a new digital partner and has no connection to the website that was the subject of the breach of security.