Last Friday it was reported that British pub chain JD Wetherspoon suffered a data breach hitting some 650,000 customers whose details were leaked. Now tech website Motherboard tells how one of its reporters was approached by the hacker who carried out the attack.
The stolen database contained the details of customers who signed up to receive Wetherspoon's newsletter, registered with Sky's The Cloud to use Wi-Fi in its pubs, submitted a 'contact us' form on the website or bought vouchers online before August 2014.
Identifying himself as ‘Ropertus' and authenticated by sending an email whose PGP key matched the key listed with the advert for the stolen data - the same method used to identify the Ashley Madison hackers. The hacker claimed that the breach: “wasn't complicated whatsoever,” adding, “The vulnerability took no more than 15 minutes to find through manual searching and analysis”.
According to Motherboard, Ropertus has been advertising Wetherspoon's data since at least 27 September on w0rm, a forum and online marketplace owned by a Russian hacker. No fixed price has been put on the stolen Wetherspoon data; instead, individuals messaged Ropertus to make their own offer.
Ropertus says: “I would price it US $750- US $1000” for the whole lot,” and he has apparently decided not to sell the Wetherspoon data at all, telling Motherboard: “I've made the decision not to sell it for a number of reasons, one of which is to further protect my identity.”
Instead, Ropertus claims that, “I did it simply because I could, and to serve as knowledge being put into practice.”