It has been reported that pub chain JD Wetherspoon has been hit by a data breach that has affected more than 650,000 customers. While JD Wetherspoon has not confirmed the details of the breach, it suggests that an ‘old database’ used by the company’s previous website was attacked and personal information, such as customer names and email addresses, has been compromised.
JD Wetherspoon CEO John Hutson said in a statement released to the market today: “Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.” Security experts from WhiteHat Security, Thales e-Security, Veracode and Rapid7 have the following comments on this breach.
[su_note note_color=”#ffffcc” text_color=”#00000″]Simon Keates, Consultant in Mobile Security at Thales e-Security :
“Although it is reported that “very limited” credit and debit card information was accessed in the Wetherspoons breach, it is of no less significant concern that personal details including names and email addresses may have been stolen. In fact, theft of card details is relatively easy to ‘deal with’ – they can be blocked and replaced. It’s the other – seemingly innocuous – information that can post a bigger problem. Details such as your mother’s maiden name, your date of birth, and where you live can be pieced together relatively easily by would-be criminals and used as bait for targeting phishing attacks and identity theft to access more sensitive information. Armed with this information, hackers can continue to commit behavioural attacks well beyond the initial breach. In today’s data-flooded world, security is increasingly becoming a big data problem – accessing personal details is just one more step in building a large database to mine information. Businesses need to change the way they think about data protection, extending their encryption policies to cover all personally identifiable information, so it is ‘detoxified’ should it fall into the wrong hands. Without this, there’s a real danger that attackers will know much more about you than your favourite beer..”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Paul Farrington, Senior Solution Architect at Veracode :
Just as you can’t lock a door you don’t know is there, this breach has demonstrated how important it is for companies to have full visibility into their web perimeter. The Wetherspoons breach seems to have occurred due to the company failing to decommission old web applications, illustrating how companies that don’t take steps to determine the full scope of their IT environment leave themselves open to be exploited through unpatched vulnerabilities in these forgotten apps.
When working with companies to reduce application-layer risk, Veracode typically finds 40 percent more websites than they originally believed they had (more than more than 350,000 sites in the past two years alone). To dramatically reduce their risk, it is essential that organisations identify all the web and mobile applications on their IT environment, and work to secure those which are needed and decommission those which no longer serve a purpose.
There remains a perception that it’s only other companies that get hacked. The reality is that every company is being scanned each day by different threat actors. We hear about the high profile attacks such as the recent Talk Talk incident and now this attack, yet this in a strange sense creates a false sense of security because they appear to happen days or weeks apart. The reality is that so many attacks either remain undisclosed or undetected.
CIOs have an opportunity to save money and reduce their attack surface by rediscovering their web perimeter. Automation makes this easy to do. A typical virtual machine used to host a website from a leading cloud provider, costs around £1.7K per annum. Turn-off just a few handfuls of these unloved servers with potential vulnerabilities – over time the firm might easily save more than £100K annually.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Johnathan Kuskos, Manager, Threat Research Centre at WhiteHat Security :
“To say that “…hacking is becoming more and more sophisticated and widespread” is the modern age “my dog ate my homework” excuse for a data breach. Until we see what the attack actually was, I’d hardly call it sophisticated right from the start. If it ends up being the result of SQLi, which is my bet since JD Wetherspoon call the database “old”, there’s not much sophisticated about it. SQLi was a Top 10 OWASP vulnerability in 2007, that’s nearly 9 years ago.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tod Beardsley – Security Engineering Manager, Rapid7 :
“So far, the scope of the Wetherspoon breach seems relatively limited, with just a small portion of those breached having financial details exposed. This is especially true when compared with some other recent hacks, including TalkTalk, LANDESK, and VTech, even though the volume is being reported as significantly larger.
For most of those impacted, the details compromised included names, phone numbers, email addresses, and birthdates – and early reports put the number of customers breached upward of half a million.
While data dumps like these can be useful for organised phishing campaigns, there are plenty more comprehensive sources for mass marketing data like this. Ultimately, the Wetherspoon breach is a reminder to people to be careful about who they share their personally identifiable information (PII) with, even when a company makes a PII promise, and to stay vigilant about monitoring credit card statements for unusual activity.”[/su_note]