Del Brazil turns his well-experienced eye to the Wetherspoons customer data breach and asks some questions about how data was being managed, given how long some of this data had been retained by Wetherspoons.
It has been recently reported that the Pub chain JD Wetherspoon has admitted that card data of 100 customers has been stolen from a database after it was hacked. Weatherspoon’s have stated that “Very limited” credit and debit card information was accessed in the hack in June and that the information could not be used as part of any attempted fraud. Weatherspoon’s further stated that personal details, including names and email addresses may also have been stolen from more than 650,000 people.
The Information Commissioner’s Office has been notified of the breach, which only came to light recently and is investigating accordingly.
The hacked database contained customer’s details which included names, dates of birth, email addresses and phone numbers; however the 100 affected whose card data was stolen had apparently bought Wetherspoon vouchers online between January 2009 and August 2014.
“Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database” said John Hutson, Weatherspoon’s Chief executive. None of the card data stored by Weatherspoon’s was encrypted because other associated details were not stored on the database.
A letter to those customers whose details may have been hacked advises them to “remain vigilant for any emails that they are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.
Despite an email warning being received about the suspected breach little if anything was done to further investigate the possibility of a hack taking place. The email warning may have been captured by a spam filter and either quarantined or automatically deleted dependent upon the settings of the relevant servers.
Mr Hutson said that the hack has occurred between 15th and 17th June and there was no evidence that fraudulent activity had taken place using the hacked data from the database. Yo40 1jdHe added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”
Serious questions need to be asked of Wetherspoon’s as to why they were retaining customer data for such a long period time in fact well past the time for which it was intended to be used for. Further investigation should establish as to how and why the data was retained for such a long period of time and again one of the main data protection principles is at the forefront of the author’s mind. If the data was being retained for an appropriate reason and with the individual’s permission was there sufficient security measures in place to safe guard against and/or deter would be hackers.
Weatherspoon’s have already given a clear indication that they fully intend to keep their retention of personal data to a minimum, as stated by founder and Chairman Tim Martin. Is this likely to be to satisfy the ICO, well in essence, yes, as it does show a clear intention to limit the amount of personal data being retained by Weatherspoon’s; although once the ICO investigation has been completed it is likely that a number of requirements and/or recommendations will be imposed by the ICO.
It is of the opinion of the author that should the ongoing investigation by the ICO highlight significant failings by Weatherspoon’s in the protection of customer data then a fine should be imposed that is in line with the seriousness and size of the breach. The ICO may take a dim view of this breach as it likely to flaunt one of the key data protection act principles in that Weatherspoon’s may have been storing customer data for longer than necessary and may have not afforded the information the appropriate level of security measures.
Currently there is no legal requirement for companies to report data breaches and/or losses to the ICO; however this is likely to change in the very near future. In the author’s opinion that each and every company has a moral obligation to not only report the breach or loss of personal data to the individual concerned but also to any recognised institute, such as the ICO, so that improvements on data protection can be pushed forward by looking at previous failings.