Pub chain JD Wetherspoon says card data of 100 customers has been stolen from a database after it was hacked.
“Very limited” credit and debit card information was accessed in the hack in June and it could not be used for fraud, CEO John Hutson said.
Other personal details, including names and email addresses may also have been stolen from more than 650,000 people.
The Information Commissioner’s Office is being notified of the breach, which only came to light in recent days.
The database had details – including names, dates of birth, email addresses and phone numbers – of 656,723 customers.
The 100 affected whose card data was stolen had bought Wetherspoon vouchers online between January 2009 and August 2014, the company said.
Only the last four digits of payment cards were obtained in the hack as the remaining digits were not stored in Wetherspoon’s database, Mr Hutson said.
The card data was not encrypted because other details were not stored on the database, the company said.
In a letter to customers, Mr Hutson apologised and advised customers to “remain vigilant for any emails that you are not expecting that specifically ask you for personal or financial information, or request you to click on links or download information”.
The hack happened between 15 and 17 June on the pub chain’s old website, which has since been replaced.
Mr Hutson said there was no evidence that fraudulent activity had taken place using the hacked data and the database did not hold passwords.
He added: “We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.”
The data accessed was held by a third party company but had remained undetected. Wetherspoon became aware of a possible breach on 1 December and it was confirmed the following day.
Information would have been put on the database either when customers signed up to receive Wetherspoon’s newsletter, registered with The Cloud to use wi-fi in their pubs, submitted a ‘contact us’ form on the website, or bought vouchers online before August 2014.