CeX says online users should change passwords but in-store customers are fine
Entertainment retailer CeX has admitted a data breach which saw the personal information of as many as two million of its online customers stolen.
The firm, founded as ‘Computer Exchange’ on London’s Tottenham Court Road in 1992, has more than 350 stores in the UK. However none of these have been affected and the in-store personal membership information has been compromised.
“We have recently been subject to an online security breach,” CeX told customers. “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.”
CeX data breach
CeX says it is unclear who accessed the data, but suggests first name, surname, addresses, email address and phone numbers of customers of ‘webuy.com’ have been stolen.
It adds that although passwords were encrypted, users should change these in case they are not complex enough not to be cracked.
There is also a chance that payment information has been stolen, although this is limited to expired credit and debit card details. CeX stopped storing financial data in 2009, so anything used after that date should be fine.
“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX added.
“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”
If customers haven’t been emailed, they are unaffected.
Data breaches have affected a number of online retailers in the past and they could be subject to larger fines in the future once the EU’s GDPR legislation comes into force in 2018. GDPR will become UK law before Brexit and firms could face fines of up to £17 million or four percent of global turnover if adequate measures are not taken.
“It is another reminder that all data, particularly customer data needs protecting by companies of all sizes,” said Javvad Malik from security firm AlienVault.
“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It’s surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy.”
“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes.”