Second-hand UK technology retailer CeX has warned that the personal details of two million of its customers may have been accessed by hackers.
Those affected were registered with CeX’s webuy.com website and have been contacted by the Watford-based firm.
In an online statement, the retailer revealed that the personal information compromised could include first name, surname, address, email address and phone number, if the customer supplied them.
It added:
“A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.”
CeX also urged affected customers to take the precautionary measure of changing their account password, adding:
“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.”
The firm didn’t disclose many more details of the breach as it is still working with the relevant authorities to help their investigation. However, there’s no indication that in-store personal membership information has been exposed in the breach.
CeX said it has hired a 'cybersecurity specialist' to conduct a review into its processes and had “implemented additional advanced measures of security” to prevent such an incident from occurring again.
Although financial information may be safe, customers would be advised to be on high alert for potential follow-on phishing attacks using the stolen personal information to trick users into handing over even more – including payment details.
ZoneFox CEO, Jamie Graves, praised CeX’s handling of the incident.
“The attack shows, once again, how companies of all sizes need to have a holistic approach to security and the need for a 360-degree visibility into what data is being moved around on and off the network,” he added.
“What's equally important is that your employees and clients are educated with a security-aware culture instilled to help close any gaps threats look to exploit."