Pub chain JD Wetherspoon has said that the personal details of more than 650,000 customers may have been stolen in a cyber attack, and a small portion of this included credit card data.
For the majority of customers no financial data was stolen, and no passwords were obtained. However, the last four digits of around 100 customers' credit card numbers were taken.
Some personal staff details, registered before 10th November 2011, were also stolen. But no salary, bank, tax or national insurance information was accessed.
"We apologise wholeheartedly to customers and staff who have been affected," John Hutson, chief executive of JD Wetherspoon, said.
Wetherspoon alerted customers to the breach by email, and it's since enlisted a cyber security specialist to carry out a full investigation.
The email said so far, no information indicated that fraudulent activity has taken place as a result of the breach, however it "cannot be certain".
The company said that it had notified the information commissioner’s office, which regulates data protection.
The company said that the customer data was stolen from its old website, which has since been replaced by a new one.
"We cannot confirm whether any of your personal data was included in this breach. However, I wanted to make you aware immediately and apologise on behalf of the company,"
"We also recommend that if you are contacted by anyone asking you for personal data or passwords, such as for your bank account details, you should take all steps to check the true identity of the organisation.
Investors shrugged off the breach, and Wetherspoon shares in the company were up 2.3 per cent at 753.2p per share in early afternoon trade.