UK pub company JD Wetherspoon has admitted that the personal details of 650,000 people may have been stolen in a data hack on its website.
It also said that the card details of 100 people had been compromised in the breach, which happened in June, but that only the last four digits of the cards were taken and the security numbers on the reverse had been kept secure.
A spokesperson for JD Wetherspoon said: "These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database."
The stolen personal details of the 650,000 people included the customer's name, date of birth, email address and phone number.
In a letter to customers, CEO John Hutson, said: "We have taken all necessary measures to make our website secure again following this attack. A forensic investigation into the breach is continuing.
"In this instance, we recommend that you remain vigilant for any emails that you are not expecting, that specifically ask you for personal or financial information or request you to click on links or download information."
The company said it received information on 1 December 2015 that its website may have been hacked, prompting an "urgent investigation by cyber-security specialists".
It was then confirmed that its old website, which has since been replaced, had been compromised between 15-17 June this year.
“If you’re an organization that collects data about your customers, you’re a target for cyberattacks and you should be considering how you protect that data,” said Tim Erlin, security director at cyber-protection software company Tripwire.
“While the loss of credit card data clearly constitutes a significant risk, all personal data is valuable to cybercriminals. When personal information is compromised, the risks to the consumer usually involve identity theft and other scams.
“If your data was part of the compromise, watch out for unsolicited phone calls, emails and other evidence of identity theft. Your data may be used weeks or months after the compromise, so check your credit report three or six months down the road.”