Maksim Kabakou - Fotolia

CeX breach shows personal data is still vulnerable

A breach of the personal details of more than two million customers of used technology goods store CeX has prompted fresh calls for better data protection by retailers

With just nine months to the deadline for compliance with the EU General Data Protection Regulation (GDPR), retailer CeX is warning two million customers of an online security breach.

According to the retailer, there is no indication that in-store personal membership information has been compromised, but it is contacting customers registered on its online marketplace.

CeX said an “unauthorised third party” had accessed the data, which includes online customers’ first name, surname, address, email address and phone number.

However, the retailer said it is unable to tell customers exactly what data was leaked because the breach is still under investigation by the “relevant authorities”, including the police.

The company said the data may include encrypted information from expired credit and debit cards up to 2009 in a “small number of instances”, adding that no other financial information is at risk.

“We would like to make it clear that any payment card information that may have been taken has long since expired as we stopped storing financial data in 2009,” the company said in a statement.

The retailer has advised all affected customers to change their passwords on their CeX accounts and any other accounts that use the same password.

CeX said that although the passwords were encrypted, it is possible that, in time, a third party could still recover the password and use it across other, unrelated services.

Read more about data breaches

The company said it takes the protection of customer data extremely seriously and claims to have had a  “robust security programme” in place that was continually reviewed and updated.

“Clearly, however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes,” it said.

“Together, we have implemented additional advanced measures of security to prevent this from happening again.”

Paul Cant, vice-president for Europe at BMC Software, said that with online retailers in possession of a wealth of personal customer data, it is no surprise that hackers are increasingly targeting them as they struggle to keep up with patching vulnerabilities.

“It is therefore critically important and overdue that enterprises have a strategy in place to enable security operations teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it fast, thus preventing a serious breach like this before it happens,” he said.

Read more about GDPR

As retailers continue on their digital journey, and with the GDPR rapidly approaching, Cant said more and more customer assets will be at risk during this transformation unless robust security policies are in place.

“Failing to do so and neglecting to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation and the bond of trust with their customers,” he said.

Bill Evans, senior director of marketing at One Identity, said CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland. 

“With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties,” he said. “As stated in the regulation, there are several factors that will go into determining these fines.”

These factors include whether the infringement was intentional or negligent, how many people were affected and how much damage was suffered by them, the type of personal data involved, how the regulating body found out about the infringement, and what steps were taken to mitigate the damage.

“In the worst case, the fines could be up to €20m or 4% of the previous year’s annual revenue, whichever is greater,” said Evans. “It will be interesting to watch as more information is made available about the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery, as this will serve as a bellwether for other companies regarding the importance of compliance with GDPR.”

Read more on Privacy and data protection