The old website of British pub group JD Wetherspoon has been hacked, the company said on Friday, potentially affecting around 650,000 customers.
The hackers obtained financial data for very few customers, the firm said in a statement, while no passwords were obtained for any customers.
The pub operator said that 100 customers who purchased Wetherspoon vouchers online before August 2014, had "extremely limited" credit and debit card details accessed. Only the last four digits of the card numbers were obtained as the rest of the digits were not stored in the database.
It added that other details such as customer name and expiry date were not compromised.
Some personal staff details registered before November 10 2011 were also stolen, but no salary, bank, tax or national insurance information was accessed.
"We apologize wholeheartedly to customers and staff who have been affected," Wetherspoon Chief Executive John Hutson, said in a statement.
"Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence."
Wetherspoon said that its old website, which has been entirely replaced by a new one, was hacked between June 15 and 17 but only detected on December 1 and confirmed by security specialists on December 2. Customers were notified on December 3.
A spokesperson for Wetherspoon said a letter had been sent out to over 650,000 customers but thinks the number affected is much lower. But in a letter to customers, the pub group said that it could not tell individuals whether any personal data was included in the breach.
Customer names, date of birth, email addresses and phones numbers were stored in the database which could potentially be accessed by hackers. Even though these are not financial details, they could be used to create very targeted phishing emails, that contain malicious links, for example.
But Wetherspoon's said that it has not seen evidence of any stolen information being used for fraudulent activity.
"There has been no information from customers, or from our cyber security specialists, that leads us to believe that fraudulent activity, using the stolen information, has taken place, although we cannot be certain," the firm said.
Wetherspoon added that it has notified the U.K,'s Information Commissioners Office about the breach.