CeX Admits Data Breach Could Impact 2m Online Customers

Entertainment retailer CeX has admitted a data breach which saw the personal information of as many as two million of its online customers stolen.

The firm, founded as ‘Computer Exchange’ on London’s Tottenham Court Road in 1992, has more than 350 stores in the UK. However none of these have been affected and the in-store personal membership information has been compromised.

“We have recently been subject to an online security breach,” CeX told customers. “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.”

CeX data breach

CeX says it is unclear who accessed the data, but suggests first name, surname, addresses, email address and phone numbers of customers of ‘webuy.com’ have been stolen.

It adds that although passwords were encrypted, users should change these in case they are not complex enough not to be cracked.

There is also a chance that payment information has been stolen, although this is limited to expired credit and debit card details. CeX stopped storing financial data in 2009, so anything used after that date should be fine.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX added.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”

If customers haven’t been emailed, they are unaffected.

Loading ...

GDPR future

Data breaches have affected a number of online retailers in the past and they could be subject to larger fines in the future once the EU’s GDPR legislation comes into force in 2018. GDPR will become UK law before Brexit and firms could face fines of up to £17 million or four percent of global turnover if adequate measures are not taken.

“It is another reminder that all data, particularly customer data needs protecting by companies of all sizes,” said Javvad Malik from security firm AlienVault.

“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It’s surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy.”

“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes.”

Quiz: What do you know about cybersecurity in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

22 hours ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

22 hours ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

2 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

2 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

2 days ago