The data breach, which took place between 15 and 17 June this year and saw the data of 656,723 customers accessed, is the latest in a recent line of attacks on the hospitality industry.
The operator has said that ‘a tiny minority’ of 100 customers had their credit/debit cards accessed; this was limited to the final four digits of the card. As a result, no fraudulent activity can take place. Those who were affected by this purchased Wetherspoon vouchers online before August 2014.
Some personal staff details, registered before 10 November 2011, were stolen, but no salary, bank, tax or national insurance information was breached.
No passwords were obtained by the hackers.
In a statement, Wetherspoon chief executive, John Hutson, said: “We apologise wholeheartedly to customers and staff who have been affected.
“Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”
The information was obtained from the pub operator’s old website, which has been replaced in its entirety. The current website is managed by a new digital partner with no links to the website that was the subject of the security breach.
In an email to customers, the operator offered advice to those affected.
“We recommend that you remain vigilant for any emails that you are not expecting, that specifically ask you for personal or financial information, or request you to click on links or download information.
“We also recommend that if you are contacted by anyone asking you for personal data or passwords, such as for your bank account details, you should take all steps to check the true identity of the organisation.”
The Information Commissioner’s Office, which regulates data protection, has been notified of the breach, and the group is investigating the incident.