It has emerged that the personal details of 656,723 customers of high-street pub chain JD Wetherspoon – including their names, dates of birth, email addresses and telephone numbers – were stolen by criminals in June when a customer database related to an old website was hacked. (To put this in perspective, the recent breach at TalkTalk affected 156,959 customers.) According to the Financial Times (apologies – it’s behind a paywall), the data is already for sale on the dark web.
In a statement, Wetherspoon said that:
“For a tiny number of customers (100), who purchased Wetherspoon vouchers online before August 2014, very limited credit/debit card information was stolen. Only the last 4 digits of the cards were obtained, since the remaining digits were not stored in the database. Other information, such as the customer name and the expiry date were not compromised. As a result, these credit/debit card details cannot, on their own, be used for fraudulent purposes.”
The Information Commissioner’s Office is investigating.
PCI DSS compliance
As cyber attacks increase in frequency and severity, cardholder data security is a responsibility that organisations can’t ignore.
All organisations that accept, store, transmit or process cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS), which is administered by the PCI Security Standards Council (PCI SSC) to decrease payment card fraud across the Internet and increase cardholder data security.
Compliance with the Standard remains a challenge for many, though: Verizon’s 2015 PCI Compliance Report found that nearly 80% of businesses fail their interim PCI DSS assessment.
IT Governance is an approved PCI QSA (Qualified Security Assessor). Whether you are a merchant or service provider, we can help you to improve your cyber security and comply with the PCI DSS quickly and efficiently. If you want the cardholder data you collect, process or store to be secure in 2016, IT Governance can help you.