back to article JD Wetherspoon: A 'hacker' nicks 650,000 pub-goers' data

Pub chain JD Wetherspoon has confessed to a data breach in which a third party managed to snag the personal data of 650,000 customers, together with some financial data, through a hack on its old website. Some of the pub chain's staffers' personal info was also accessed. A database containing personally identifiable …

  1. Prst. V.Jeltz Silver badge
    Pint

    Beer icon

    because beer!

    Friday beer hacking story yay!

    1. chivo243 Silver badge
      Pint

      Re: Beer icon

      damn, beat me to it... Pub hacking story released on Friday! Classic!!

  2. Dan 55 Silver badge

    so they're only storing the last four digits of a CC number

    Why?

    There seems to be some dim awareness that they shouldn't store unnecessary data but then they go and store some CC info which on its own is useless but could be of some use in a hack if someone is so minded to join up bits of data from different sources.

    1. Anonymous Coward
      Anonymous Coward

      Re: so they're only storing the last four digits of a CC number

      It's kind of standard.

      http://security.stackexchange.com/questions/19860/minimum-requrements-for-storing-last-4-digits-of-credit-card-number

      The last four digits are what most payment gateways return to you. As such there shouldn't be sources that contain the other digits to build the whole string.

  3. Smooth Newt

    Public relations view of the universe

    "a tiny number of customers (100)". Since when was 100 a tiny number? 0.000000000000000000000000000000000000000000001 is a tiny number. Perhaps they mean "a small proportion of their total database". But if that is the way of accounting for this, then a company which had the same hack but twice the number of customers in their database would somehow be "better", even though the same number of people, 100, would still be affected.

    1. 's water music Silver badge

      Re: Public relations view of the universe

      PR spins news story shocker...

      Obviously they are spinning a line as one would expect but I thought that they managed not to sound too weasel-worded about it. The 'size' of does depend on your frame of reference so I think that there is some justification and since it appears they are unable to tell which customers are affected each person has better odds when they are 100:656,723 versus 100:100.

      Obviously they could be lying or they could be presenting information that will later turn out to be wrong or incomplete and there is a question of how the compromise of a website released PII

    2. Cronus

      Re: Public relations view of the universe

      Is 0.000000000000000000000000000000000000000000001 a tiny number though? It's a lot bigger than 0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001

      Surely it's relative to the kind of numbers you'd normally be talking about. Both your example and mine are tiny compared to the normal >1 numbers we use on a day to day basis. 100 out of 650,000 is pretty small and given that when companies normally get hacked you're not normally talking about hundreds of credit card details getting stolen. The number is usually quite a lot bigger.

      Not that I'm excusing them.

  4. Buzzword

    DOBbing

    Why do so many companies ask for your date of birth anyway? On principle I always give a fake one, unless they actually need it to run a credit check.

    1. Anonymous Coward
      Anonymous Coward

      Re: DOBbing

      I use a fake one which I can easily remember, just in case it becomes a security question at some point.

      Except for the debt collectors who asked for my DoB 'to verify my identity' at a point where they shouldn't have it. I queried them on that and they then claimed it was so I could verify my identity in future calls (ie they hadn't already got it)... as far as they were concerned, I was born on the 37th Novembuary in the year of 'kiss my arse'

  5. Anonymous Coward
    Anonymous Coward

    As a former employee I'm absolutely not surprised. For a good 18 months after leaving the company I could still log in to the staff intranet and print off a 20% food discount voucher - which you could then sweet talk the manager serving you to bump it up to 50%. Their IT leaves a lot to the imagination.

    AC because, well it's obvious why.

    1. anonymous noel coward~

      From another former employee, Wetherspoon certainly loved to squeeze the staff budget as much as possible. As the saying goes - "if you pay peanuts you get monkeys"; and I definitely worked alongside a few of those front of house.

      It's not hard to imagine what effect this policy would have on their IT dept.

  6. Alistair Dabbs

    Happy hour

    The hacker only wanted 325,000 records but there was a two-for-one offer.

  7. Blipvert
    Pint

    Beer Goggles..

    I like a pint and a Ginsters.....how can this knowledge be used against me?

    (tasty icon)

    1. Anonymous Coward
      Anonymous Coward

      Re: Beer Goggles..

      Ginsters?? Seriously???

      Try some real food some time - you might be surprised!

      1. Goldmember

        Re: Beer Goggles..

        Real food? You do know the story is about Spoons, don't you?

    2. allegoricus

      Re: Beer Goggles..

      Ginster's? I bloody hope so!

  8. Tom 7 Silver badge

    Did you spill my data

    yer bassa

  9. Mike Moyle Silver badge

    Hacking a pub...

    Dear GOD...! Is NOTHING sacred?!!?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hacking a pub...

      a pub...

      I don't tend to think of anything bearing the Wetherspoons name as a pub, merely a corporate retailer that does on-sales.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hacking a pub...

        Very small portions of food (count the chips) means it's not very good value, but their toilets are usually cleaner than average, so they're useful for a "Wethershit", if nothing else.

    2. David Roberts Silver badge

      Re: Hacking a pub...

      Not sure where all this dislike of Westherspoons is coming from. It may be regional bit in my limited experience they sell good beer at a budget price and the food is also cheaper than most.

      Generally a safe bet in a strange town.

      Also generally clean toilets. Much like MacDonalds which is a good place for a Mc toilet break anywhere in the UK, especially important if you have young kids. Food is beter than McD as well.

  10. wolfetone Silver badge

    The Cloud

    I didn't know that me typing in my email and password in to The Cloud WiFi network would be stored by Wetherspoons, but it was probably in the T&C's I didn't bother to read because I was drinking a pitcher of Cheeky Vimto.

    1. Goldmember

      Re: The Cloud

      Always assume every company operating a "cloud" or similar service (pubs, coffee shops, airports) is storing whatever info you put in there. That's why I've got a disposable email address, fake name and fake DoB I use for that kind of thing. All of which is easy for me to remember, even when pissed ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: The Cloud

      The cloud is Sky, nothing to do with JDW

      1. wolfetone Silver badge

        Re: The Cloud

        "The cloud is Sky, nothing to do with JDW"

        Then why have JDW got the email addresses for The Cloud then?

        1. Alan Edwards

          Re: The Cloud

          > "The cloud is Sky, nothing to do with JDW"

          >

          > Then why have JDW got the email addresses for The Cloud then?

          You have to have signed in to The Cloud *and* signed up to get marketing emails from Wetherspoons when you registered,

          This might explain why I'm suddenly getting spam from Joseph Holt pubs...

  11. Doogie Howser MD

    Sophisticated

    Funny how all of these data breaches are done by using "sophisticated" techniques, thus drawing attention away from the usually shite data security mechanisms.

    In my experience, the bigger the company, the shiter the security.

  12. run_dmc

    I suspect

    I suspect a tracksuit sales company is behind this

    1. Roq D. Kasba

      Re: I suspect

      Or data miners who already have a corresponding data set concerning large TV's and Sky subscriptions.

  13. Anonymous Coward
    Anonymous Coward

    Beer vouchers

    Obviously this is serious and companies should be fined if they allow their whole customer database to be accessible from their website, regardless of the attack sophistication (SQL injection guaranteed). At the same time I find it amusing that they only sold 100 vouchers on their website between January 2009 and August 2014. Whoever came up with that scheme in their marketing department is certainly pulling their weight.

  14. als1232

    Will someone kindly tell me why

    this data is collected and kept? What good is it to have names, dates of birth, and the last four digits of a CC in a database for a pub? How do you know it's even remotely close to reality (except, perhaps, for the CC number if it's a real one and not prepaid). Why keep unreliable information which doesn't have too much value in any case? I understand you can target age groups, but is it worth storing info on the off chance you want to do that? Also, do you really want to target people by the month and day they were born rather than the year? This is all assuming you didn't get a false DOB to start with.

  15. MrDamage

    worrying trend

    The NSW govt in Oz has implmented all these extra laws in wake of a few alcohol fueled "one punch deaths", which include most clubs, and a lot of late night pubs, scanning a copy of your ID, making them a prime target for hackers intent on ID theft.

    Typically, the govt will shirk all responsibility if ID theft occurs, and will instead blame the pub and club owners for the theft, despite them mandating the ID scanning, and the type of systems required.

  16. Anonymous Coward
    Anonymous Coward

    PR noobs

    Blaming it on "some hacker" makes you look incompetent.

    Always go with North Korea.

  17. g7rpo

    Never give these people correct details, I think if I had used their wifi I would have been using the email address of hectorhorseporn@hotmaill.com which I have now binned.

    Does anyone actually use their real information on these things

  18. Disko
    Mushroom

    I'll have

    a tiny number of pints on the house. Nothing excessive, just a couple hundred.

  19. philthane

    Why?

    Why would 650,000 drinkers give their details to a pub chain in the first place?

  20. macjules Silver badge
    WTF?

    Err ...

    You do know that The_Cloud is owned by Sky UK and not by Wetherspoons?

  21. IanTP
    Pint

    In Further News...

    Spoons are no longer accepting CAMRA vouchers or offering a discount to holders of the MANGO bus card scheme.

  22. pewpie
    Pint

    Surely..

    ..the correct headline is: 'Did you just hack my pint?'

  23. JamieL

    Well I'm not surprised

    A few months back I went onto their website to book a room. I was on the verge of hitting "submit" when I noticed that the page header was plain old "http://..." and so my card details and address were about to be sent off in the clear.

    Being a kind soul I sent a message and screenshot to them via "contact us" to let them know, and in particular draw their attention to their Ts&Cs which said that I was responsible for ensuring the security of my personal details which I clearly couldn't do if I used their website.

    Of course I didn't get a response, but then I guess they knew already by then.

    1. Captain Badmouth
      FAIL

      Re: Well I'm not surprised

      Doesn't your browser ask you - " Submit data without encryption?", in such circumstances?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019