JD Wetherspoon admits credit card data breach

The pub group JD Wetherspoon has apologised after some customer credit card details and staff details were accessed illegally by a third party.

Chief executive John Hutson apologised to customers, and said that they should remain vigilant, but said that no financial data had been involved and no passwords had been obtained.

The data breach, which was only confirmed internally on 2 December, happened on 15-17 June from the group's old website, which has been replaced in its entirety since, and is being managed by a new website partner.

The group is now launching an investigation into the incident, with the Information Commissioner's Office now informed.

The details of 656,723 customers may have been affected, including names and email addresses, the company admitted, although it reassured customers that any stolen card data was not enough to put customers at risk of fraud, and that no passwords had been at risk.

Only around 100 customers may have had their card details accessed, the group said, and this would only concern the last four digits of their card numbers, entered online when buying Wetherspoon vouchers between January 2009 and August 2014. No further card details or passwords had been stored on the company database, the statement said.

Some personal staff details registered before 10 November 2011 were also accessed, but this did not include any salary, bank, tax, or national insurance information.

Hutson said: "We apologise wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."

JD Wetherspoon to open four new hotels >>

JD Wetherspoon admits liability in second traveller discrimination case >>