UK pawnbroker Cash Converters believes customer data may be in the hands of a malicious third party after a suspected breach of its old website.
The firm, which also issues payday loans, has sent an email informing customers of the incident and forced a reset of their passwords. It has apparently informed the relevant authorities in the UK and Australia, where it also operates.
"The current webshop site was independently and thoroughly security tested as part of its development process,” the firm reportedly said in its email. “We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.”
User names, passwords and addresses may have been stolen as part of the breach, which affected account holders on the firm’s old “webshop”, retired in September.
However, one report from Australia quoting the company says it has:
“Received an email threat from a third party claiming to have gained unauthorized access to customer data within a Cash Converters’ United Kingdom website (‘Webshop’). The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment.”
Javvad Malik, security advocate at AlienVault, argued the incident highlights the importance of advanced threat detection capabilities that can spot attack attempts early on.
“The problem with this scenario is that without having reliable logs, the victim doesn’t know if the criminals actually have the data they are claiming to possess — or indeed if they will stick to their word and not release it in the event of receiving payment”, he added.
James Romer, EMEA chief security architect at SecureAuth, warned that with password reuse rife, the incident could have wider repercussions for affected users.
“Given how frequently users repurpose passwords and email addresses for other services this could have wider repercussions. Any organization relying only on passwords and usernames as an authentication protocol is being fundamentally irresponsible,” he added.
“Even two-factor authentication isn’t sufficient as malware and basic phishing attacks can readily be used to extract the one-time-passwords from users and/or devices. Modern security depends on adaptive measures that keep hackers guessing.”