How the JD Wetherspoon breach could have been prevented

How the JD Wetherspoon breach could have been prevented

Pat Clawson, CEO at Blancco Technology Group looks at the potential causes of the JD Wetherspoon breach and the measures that could have been taken to prevent it.

How could this have been prevented? Is there any valid reason for this database not to have been securely erased when JD Wetherspoon moved to a new provider?

One thing that’s interesting about this data breach is that the leaked information was housed on a database related to an old version of JD Wetherspoon’s website that’s since been replaced. When a company decides to replace old websites and launch ones, it’s not a decision that’s made quickly and months of planning go into it. So when that decision was made, JD Wetherspoon should have also created a plan to remove all data completely and permanently from the old database. This would have required identifying a technology solution that could do this, as well as establishing clear processes, documentation and training/communications to all internal departments.

Who do you think is most responsible for this breach? Is it the third party who failed to protect/destroy this sensitive data or JD Wetherspoon for failing to ensure their supplier took the appropriate actions?

Whenever something goes wrong, people often get lost on focusing on the wrong things – pointing fingers, placing blame and evading responsibility. It’s not about saying one party is 100% to blame. When JD Wetherspoon chose to sign a contract with an third-party vendor to host its (old) website, it immediately took on the responsibility for managing that relationship and doing due diligence on the vendor’s systems and processes being used to house its website. To blame the vendor for the delay in discovering the breach is just irresponsible and it points to a major weakness in how JD Wetherspoon’s internal IT and technology teams managed the relationship with the vendor.

There’s no justifiable reason for JD Wetherspoon to not have taken these precautionary data security measures. But it’s also a very common and frequent oversight made by many companies. Even though things like ‘breach notification’ are being pushed heavily with new legislation like the General Data Protection Regulation that’s close to being finalized in Europe, the true definition of secure data removal – or data erasure – just isn’t known enough or discussed enough. And a lot of the times, companies mistakenly presume ‘deleting’ data is the same thing as ‘erasing’ data. But it’s not and that’s where you see companies like JD Wetherspoon and Ashley Madison getting into serious trouble.

But that doesn’t mean the third-party vendor who accepted the contractual responsibility and fees to host JD Wetherspoon’s old website isn’t responsible either. The vendor should have been forthcoming and transparent in giving JD Wetherspoon’s IT teams access to view their internal data security processes, data removal methods, tools and technology implemented, documentation and most importantly, communication that the breach had occurred at the time that it did, not months later after the fact.

Does this point to a wider issue within data lifecycle management and what happens to information that no longer needs to be stored?

The breach itself and the tone of JD Wetherspoon’s response point to a wider issue. All too often, companies think about data security in terms of physical assets and devices. Instead, organizations need to plan for the entire data lifecycle – from creation to storage to finally, secure and permanent removal. Here’s why.

There are a lot of different deletion methodologies that exist. The approach you choose depends on your risk tolerance, security posture, your policies and the specific types of data being stored. And one of the biggest lessons from last year’s data breach at Sony is that there’s really no such thing as ‘unimportant’ data. Although most data protection laws and regulations are focused on protecting customer and employee data (and possibly financial data if you’re a public organization), and most organizations are extremely sensitive and vigilant about protecting their intellectual property (from product designs and manufacturing processes to customer lists and go-to-market strategies), few think about the skads of supposedly mundane data contained in everyday emails or employee spreadsheets. But even seemingly unimportant data could cause serious damage to the customers in question and to the companies who failed to stop the breach from occurring.

[su_button url=”http://www.blancco.com/en” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]Click here to find out more about Blancco Technology Group[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Defensive AI safeguards against cyber threats

Defense Initiative to enhance global cybersecurity underscores the importance of defending against increasingly sophisticated and pervasive cyber threats…
Hacker

Cybersecurity CEO blasts Microsoft for email breach

Microsoft executives had their emails hacked, with the company saying the attack was carried out by a Russian intelligence group…

Bridewell in Microsoft Security Copilot Partner Private Preview

Bridewell today announced its participation in the Microsoft Security Copilot Partner Private Preview. Bridewell was selected based…

Evanssion and ThreatQuotient Join Forces

A renowned cybersecurity and cloud-native security VAD in the Middle East, Evanssion, has just announced a strategic

Most cyber attacks in Middle East involve spyware

Positive Technologies has analysed the attacks carried out on individuals in Middle Eastern countries between 2022…
Neustar

New DNS detection from Neustar

Neustar Security Services, a provider of cloud-based security services that enable global businesses to thrive online, is introducing UltraDDR…
Acronis

Acronis seals partnership with Fulham FC

Acronis, a global cyber protection company, has announced a three-year partnership with London´s oldest professional football club, Fulham FC…
Acronis

Acronis Cyber Foundation celebrates five years

Acronis is proud to celebrate the fifth anniversary of the Acronis Cyber Foundation Programme, a set of philanthropic initiatives designed to engage…
Scroll to Top