Friday, 4 December 2015
Wetherspoons don't notice major hack for 6 months - proposed European legislation could mean fine of £65 million
The hack occurred in mid June of this year with Wetherspoons apparently unaware of this until this week. Anyone using the pub wifi or registering with them has probably had details taken.
This suggests that no active monitoring of the network traffic under Wetherspoon's control was occurring or if it was it was ineffective or the results were kept quiet while the gaps were fixed. Time will tell if Wetherspoons have breached the Data Protection Act as the matter has been reported to the Information Commissioner. Maximum fine is currently £500,000 but proposed European Legislation would bump that up to to £65 million maximum if the hack occurred with the legislation in place.
These hacks are popular as personal details can be sold for about £10 each via the dark web and therefore the Wetherspoons hack is worth about £6 million to the cyber criminals.
In all probability a hacker wandered into a Wetherspoons with a fast WiFi connection, logged onto the network directly, bypassed security and downloaded the database in about 30 minutes - before he or she had finished their pint (or white wine for the lady).
Organisations handling personal data will need to take a more active approach to prevention and monitoring to avoid big fines and reputational damage.