Beer icon
because beer!
Friday beer hacking story yay!
Pub chain JD Wetherspoon has confessed to a data breach in which a third party managed to snag the personal data of 650,000 customers, together with some financial data, through a hack on its old website. Some of the pub chain's staffers' personal info was also accessed. A database containing personally identifiable …
Why?
There seems to be some dim awareness that they shouldn't store unnecessary data but then they go and store some CC info which on its own is useless but could be of some use in a hack if someone is so minded to join up bits of data from different sources.
It's kind of standard.
http://security.stackexchange.com/questions/19860/minimum-requrements-for-storing-last-4-digits-of-credit-card-number
The last four digits are what most payment gateways return to you. As such there shouldn't be sources that contain the other digits to build the whole string.
"a tiny number of customers (100)". Since when was 100 a tiny number? 0.000000000000000000000000000000000000000000001 is a tiny number. Perhaps they mean "a small proportion of their total database". But if that is the way of accounting for this, then a company which had the same hack but twice the number of customers in their database would somehow be "better", even though the same number of people, 100, would still be affected.
PR spins news story shocker...
Obviously they are spinning a line as one would expect but I thought that they managed not to sound too weasel-worded about it. The 'size' of does depend on your frame of reference so I think that there is some justification and since it appears they are unable to tell which customers are affected each person has better odds when they are 100:656,723 versus 100:100.
Obviously they could be lying or they could be presenting information that will later turn out to be wrong or incomplete and there is a question of how the compromise of a website released PII
Is 0.000000000000000000000000000000000000000000001 a tiny number though? It's a lot bigger than 0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
Surely it's relative to the kind of numbers you'd normally be talking about. Both your example and mine are tiny compared to the normal >1 numbers we use on a day to day basis. 100 out of 650,000 is pretty small and given that when companies normally get hacked you're not normally talking about hundreds of credit card details getting stolen. The number is usually quite a lot bigger.
Not that I'm excusing them.
I use a fake one which I can easily remember, just in case it becomes a security question at some point.
Except for the debt collectors who asked for my DoB 'to verify my identity' at a point where they shouldn't have it. I queried them on that and they then claimed it was so I could verify my identity in future calls (ie they hadn't already got it)... as far as they were concerned, I was born on the 37th Novembuary in the year of 'kiss my arse'
As a former employee I'm absolutely not surprised. For a good 18 months after leaving the company I could still log in to the staff intranet and print off a 20% food discount voucher - which you could then sweet talk the manager serving you to bump it up to 50%. Their IT leaves a lot to the imagination.
AC because, well it's obvious why.
From another former employee, Wetherspoon certainly loved to squeeze the staff budget as much as possible. As the saying goes - "if you pay peanuts you get monkeys"; and I definitely worked alongside a few of those front of house.
It's not hard to imagine what effect this policy would have on their IT dept.
Not sure where all this dislike of Westherspoons is coming from. It may be regional bit in my limited experience they sell good beer at a budget price and the food is also cheaper than most.
Generally a safe bet in a strange town.
Also generally clean toilets. Much like MacDonalds which is a good place for a Mc toilet break anywhere in the UK, especially important if you have young kids. Food is beter than McD as well.
Always assume every company operating a "cloud" or similar service (pubs, coffee shops, airports) is storing whatever info you put in there. That's why I've got a disposable email address, fake name and fake DoB I use for that kind of thing. All of which is easy for me to remember, even when pissed ;-)
> "The cloud is Sky, nothing to do with JDW"
>
> Then why have JDW got the email addresses for The Cloud then?
You have to have signed in to The Cloud *and* signed up to get marketing emails from Wetherspoons when you registered,
This might explain why I'm suddenly getting spam from Joseph Holt pubs...
Obviously this is serious and companies should be fined if they allow their whole customer database to be accessible from their website, regardless of the attack sophistication (SQL injection guaranteed). At the same time I find it amusing that they only sold 100 vouchers on their website between January 2009 and August 2014. Whoever came up with that scheme in their marketing department is certainly pulling their weight.
this data is collected and kept? What good is it to have names, dates of birth, and the last four digits of a CC in a database for a pub? How do you know it's even remotely close to reality (except, perhaps, for the CC number if it's a real one and not prepaid). Why keep unreliable information which doesn't have too much value in any case? I understand you can target age groups, but is it worth storing info on the off chance you want to do that? Also, do you really want to target people by the month and day they were born rather than the year? This is all assuming you didn't get a false DOB to start with.
The NSW govt in Oz has implmented all these extra laws in wake of a few alcohol fueled "one punch deaths", which include most clubs, and a lot of late night pubs, scanning a copy of your ID, making them a prime target for hackers intent on ID theft.
Typically, the govt will shirk all responsibility if ID theft occurs, and will instead blame the pub and club owners for the theft, despite them mandating the ID scanning, and the type of systems required.
A few months back I went onto their website to book a room. I was on the verge of hitting "submit" when I noticed that the page header was plain old "http://..." and so my card details and address were about to be sent off in the clear.
Being a kind soul I sent a message and screenshot to them via "contact us" to let them know, and in particular draw their attention to their Ts&Cs which said that I was responsible for ensuring the security of my personal details which I clearly couldn't do if I used their website.
Of course I didn't get a response, but then I guess they knew already by then.