British pub chain JD Wetherspoon has admitted that over 650,000 customer records and 100 partial credit card details were stolen in a cyber attack on the database of an old website.
The names, addresses, email addresses and phone numbers of 656,723 customers were stolen by hackers alongside "very limited" card details, the firm claimed. It is also estimated 15,000 staff who worked at JD Wetherspoon during 2010 also had personal details compromised in the hack, according to the Financial Times.
The hack occurred on a third-party hosting service in June, but surfaced only on 2 December.
JD Wetherspoon chief executive John Hutson said in a letter to customers: "We cannot confirm whether any of your personal data was included in this breach. However, I wanted to make you aware immediately and apologise on behalf of the company.
"We have taken all necessary measures to secure our website following this attack. A forensic investigation into the breach is continuing.
"In this instance, we recommend that you remain vigilant for any emails that you are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information.
"We also recommend that if you are contacted by anyone asking you for personal data or passwords, such as for your bank account details, you should take all steps to check the identity of the organisation."
The Information Commissioner's Office, which can levy fines of up to £500,000 for data breaches, has been notified of the incident.
Mark James, cyber specialist at security firm ESET, said that the breach was probably down to lax security on the unused website.
"All too often these days website security is not up to the standard required to combat the expertise that modern day cyber criminals possess," he said.
"There's a high possibility that little or poor security was involved in the original creation of the site that led to the site being rewritten. If this was the case it would be quite easy to gain access to that data and retrieve all the information and leave without anyone ever noticing.
"What is a concern here is the fact that JD Wetherspoon did not even know it had been compromised and, although the attack happened in June, was only informed recently by security experts."
Piers Wilson, head of product management at Huntsman Security, added: "The real damage here to Weatherspoon's reputation might not be from the data taken, but from the fact that the attack happened in the summer and only came to light this week."
Matthew Aldridge, security expert at Webroot, explained that the responsibility is now on JD Wetherspoon to fully investigate the breach.
"Whether a full set of customer data has been stolen by the hackers or not, it still puts customer data at risk and will reduce the level of trust towards such a large chain of pubs," he said.
The theft of more than 650,000 customer records makes the incident four times larger than the attack on TalkTalk, which confirmed recently that 156,959 customers were affected by a breach in October.
Electronics and computer chain the latest high street retailer to fall into difficulties
Incisive Media and Investec Asset Management supported fundraiser crosses Atlantic in 40 days
Alphabet's health sciences division Verily have been messing with AI algorithms