As many as 650,000 Wetherspoon's customers may have had their personal details accessed by hackers, while around 100 have had credit card data stolen.
The high street pub chain said in an email to customers on Thursday night that it was the subject of a "criminal" hacking attack in June this year, which was only discovered on 1 December.
The credit card data theft only affected people who bought Wetherspoon's vouchers online before August 2014. The company said that only the last four digits of credit card numbers were accessed, meaning hackers can't use the data for fraudulent activity.
The rest of the 650,000 customers on the database – many of whom provided their details in order to use the free Wi-Fi in Wetherspoon's pubs – may have had their name, date of birth, email address, and phone number accessed by hackers.
Wetherspoon's has since replaced its website and now works with a different web development company which, it was keen to stress, has no connection to the hack.
"Unfortunately, the breach occurred without [the company's] knowledge and remained undetected until now," said JD Wetherspoon CEO John Hutson.
The company said it would inform the Data Commissioner's Office, which investigates data breaches and failures to uphold the Data Protection Act.
However, the company said it had not broken the law and had "taken appropriate technical and organisational measures as required by the Act to protect your data".
Wetherspoon's has 900 pubs across the UK and Ireland and makes more than £1.5 billion in annual sales.