Popular pub chain Wetherspoons has suffered a data breach. Cyber criminals have stolen sensitive data such as credit and debit card data from customers who bought vouchers from the JD Wetherspoon site. Security experts from Tripwire, ESET and Lieberman Software have the following comments on this breach.
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
Any ideas as to what may have lead to the breach?
“Wetherspoons says the breach was on their old website, at least in part. Whenever you hear “old” in reference to technology, you should understand it to mean insecure and containing vulnerabilities the bad guys know and love.”
While we don’t know exactly what happened, this is the most recent in a very long line of large scale breaches involving customer data – why?
“Wetherspoons is only one in a chain of breaches because the bad guys are becoming more professional. They are attacking anything and everything that can yield money. People still picture lone wolf hackers in a basement with their face lit by a single glowing monitor, wearing a hoodie and drinking an energy drink. Many of the bad guys are going into offices in Eastern Europe or Asia and simply doing a job. They are more concerned with their benefits than with who they may be attacking. Stealing digital information isn’t a hobby, it’s a career.
We’ve also become much better at seeing the signs of a breach. So we have a combination of more brute force attacking and more attention being paid feeding the headlines new incidents daily.”
Advice to customers that may be affected
“Customers should do the only thing they can do – watch their financials for suspicious transactions. If anyone who got caught up in this breach hasn’t already learned the lesson that they should not use the same passwords and security question answers across multiple sites, then hopefully this will make that lesson sink in. Sadly, it seems that’s the only way many people will really start taking that warning seriously.”
What should organisations be doing to stop this happening?
“The advice for anyone running a website is the same “eat right and exercise” style advice security folks have been giving for decades. There are well known things people can do to protect their website assets, and most of it is simply good hygiene in the development and operations processes. Organizations looking for a good, specific, prescriptive guide to this security would do well to go to the OWASP top ten list, where they maintain the most urgent threats to website security.”
Have Wetherspoons handled this well? What can they learn from TalkTalk’s recent experience?
“People can handle bad news but they hate surprises. Lucky for Wetherspoons, breaches aren’t that surprising anymore. But people don’t like it when they aren’t told until it feels too late. The announcements from Wetherspoons seem to be coming out as soon as they know anything. So that gives the impression that they are trying their best to keep the public informed. It’s still bad news, but at least they are giving people the information they need to understand what’s happening.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Product Management at Tripwire :
“If you’re an organization that collects data about your customers, you’re a target for cyberattacks, and you should be considering how you protect that data. While the loss of credit card data clearly constitutes a significant risk, all personal data is valuable to cybercriminals.
When personal information is compromised, the risks to the consumer usually involve identity theft and other scams. If your data was part of the compromise, watch out for unsolicited phone calls, emails and other evidence of identity theft. Your data may be used weeks or months after the compromise, so check your credit report three or six months down the road.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :
Any ideas as to what may have lead to the breach?
“All too often these days website security is not up to the standards required to combat the expertise that modern day cyber criminals possess. John Hutson the CEO of JD Wetherspoons has stated that the breach affected the chain’s “old website” which has since been replaced in its entirety.
There’s a high possibility that little or poor security was involved in the original creation of the site and that in itself led to the site being rewritten. If this was the case it would be quite easy to gain access to that data and retrieve all the information and leave without anyone ever noticing. What is a concern here is the fact that Wetherspoons did not even know they had been compromised and although the attack happened in June, were only informed recently by security experts.”
While we don’t know exactly what happened, this is the most recent in a very long line of large scale breaches involving customer data – why?
“Let’s be realistic here, breaches are happening all the time, some are successful and some are not, more worryingly some go unnoticed for weeks, months or even years before being found out. Customer data can be used for many things not just instant financial gain, the type of data being harvested will almost certainly go on to be used for identity theft or used for phishing scams in an attempt to lure the unsuspecting public with snippets of valid data. Any data that rings true will have a higher chance of progressing further than the daily deluge of opportunistic spam we receive.”
Advice to customers that may be affected
“If you think you have been affected by this or any other breach there are a few things you can do to help protect yourself, change any passwords that were used on this site that you may also be using on others. Be very mindful of any communication out of the blue that may contain small amounts of information about you and always double check with financial organizations before supplying more details. If you get an email to verify your details spend a few more minutes calling or contacting that company to verify its validity, it may sound like a lot of effort but I can assure its nothing compared to the hassle of having to cancel Credit Cards and going through recovery processes.”
What should organisations be doing to stop this happening?
“Organizations need to review their website security, ensuring all patches are applied to software and hardware where required. Regular data monitoring needs to be in place to spot attacks before they manage to be successful and internet security software should be in place and updating regularly. Also, make sure you’re running an up-to-date secure operating system and do not be afraid to seek help.”
Have Wetherspoons handled this well? What can they learn from TalkTalk’s recent experience?
“As in this case notifying customers as soon as possible should be one of their priority’s, it’s very important the public are aware of any instance their data may be breached so they can take action to protect financial loss and also be on their guard from attempts to gain more info through phishing or targeted attacks.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.