It has been reported this morning that second hand goods store CeX has been the victim of a massive data breach, resulting in data from over 2000 customers being stolen. The UK retailer said customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack that saw “an unauthorised third party” illegally access its computer systems. Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a “small number of instances.” However, CeX said any payment card data that may have been stolen in the attack “has long since expired” since they stopped storing financial data in 2009.
Bill Evans – One Identity
“As we all know, CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland. With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties. As stated in the regulation, there are several factors that will go into determining these fines including
- Was the infringement intentional or negligent
- The extent of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- The type of personal data involved
- How the regulating body found out about the infringement
- What steps were taken to mitigate the damage
In the worst case, the fines could be the greater of 20,000,000 Euros or 4% of prior year annual revenue. Since CeX is privately owned it’s difficult to ascertain its annual revenue.
Regardless, it will be interesting to watch as more information is made available regarding the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery as this will serve as a bellwether for other companies regarding the importance of compliance to GDPR.”
Mark James – Security Specialist at ESET
“Any data breach is bad news. With more and more of our data ending up floating around the internet, the chance of you receiving a spam or phishing email increases every single day. The information taken during this breach was personal data and passwords of up to two million customers. CEX stated “customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack” and as usual this is the exactly the info that will be used for future scams- with some info like names and physical addresses, being personal data that you can’t change easily.
It’s interesting to note that they stated that Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a “small number of instances.” However, any payment card data that may have been stolen in the attack “has long since expired” since they stopped storing financial data in 2009- but how many of the public actually know that? If an unsuspecting user received some correspondence to update their credit card details and used the old info as a qualifier there could be a few who may fall for it!
As with any of these causes, always check any account info and passwords associated with the company that has been breached. Change your passwords immediately and be aware of anyone contacting you relating to the info stolen. If you are contacted by phone do not hand over any new info and hang up immediately; be extra wary of emails asking you to validate any info over email or web and if in doubt always ask the originating company for verification before proceeding.”
Lee Munson – Security Researcher at Comparitech.com
“Following the breach at second-hand electronics company CeX, the almost usual response gives customers the exceedingly good advice of changing their passwords, both for the firm’s webuy.com website and anywhere else they have reused the same credentials.
What’s interesting, however, is the fact that the company is not forcing a password reset on all of its two million potentially affected customers.
Perhaps CeX thinks the fact that the stolen and encrypted credit and debit card details are from 2009 or earlier means its customers have nothing to worry about?
Of course, the opposite is true – it wasn’t just card data that was swiped but personal information too. That means fans of second-hand games and electronics may be at risk of receiving personalised phishing emails in the wake of the breach, or even identity theft.
Thus, it is vital that CeX customers stay on their guard, use a password manager to ensure that all their login credentials are hard to crack – and unique to every site they use – and do not respond to requests for further information from anyone appearing to represent the retailer.”
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire:
“To reduce further exploitation, victims must change their passwords immediately. Although, CeX state that financial data taken would have since expired, it is still recommended victims continuously monitor their bank accounts. Moments after the breach is often when individuals are most vulnerable which is why we recommend that they double check incoming emails and calls are from vetted sites and number, which will help lessen the likelihood of any identity theft. In general and where possible, customers should also try and activate 2 factor authentication methods as well. A lot of companies provide the functionality for 2 factor authentication but do not advertise it very clearly. Usually once a hacker obtains your confidential information, they usually look to sell it off to 3rd party buyers who then try use those credentials / details against a lot of common services such as gmail, banking etc As a lot of customer do use the same password across sites (a whole different security risk), having 2 factor authentication enabled will make it near impossible for anyone to access other sites using your credentials without you knowing about it.”