Maksim Kabakou - Fotolia
According to the retailer, there is no indication that in-store personal membership information has been compromised, but it is contacting customers registered on its webuy.com online marketplace.
CeX said an “unauthorised third party” had accessed the data, which includes online customers’ first name, surname, address, email address and phone number.
However, the retailer said it is unable to tell customers exactly what data was leaked because the breach is still under investigation by the “relevant authorities”, including the police.
The company said the data may include encrypted information from expired credit and debit cards up to 2009 in a “small number of instances”, adding that no other financial information is at risk.
“We would like to make it clear that any payment card information that may have been taken has long since expired as we stopped storing financial data in 2009,” the company said in a statement.
The retailer has advised all affected customers to change their passwords on their CeX accounts and any other accounts that use the same password.
CeX said that although the passwords were encrypted, it is possible that, in time, a third party could still recover the password and use it across other, unrelated services.
Read more about data breaches
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- Stolen and lost devices are the biggest causes of data leaks in the financial sector, which experienced twice as many leaks in 2015 than the year before, a report reveals.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
- Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.
The company said it takes the protection of customer data extremely seriously and claims to have had a “robust security programme” in place that was continually reviewed and updated.
“Clearly, however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes,” it said.
“Together, we have implemented additional advanced measures of security to prevent this from happening again.”
Paul Cant, vice-president for Europe at BMC Software, said that with online retailers in possession of a wealth of personal customer data, it is no surprise that hackers are increasingly targeting them as they struggle to keep up with patching vulnerabilities.
“It is therefore critically important and overdue that enterprises have a strategy in place to enable security operations teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it fast, thus preventing a serious breach like this before it happens,” he said.
Read more about GDPR
- The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses.
- There is no time for businesses to delay preparing for the GDPR, says the UK privacy watchdog.
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
As retailers continue on their digital journey, and with the GDPR rapidly approaching, Cant said more and more customer assets will be at risk during this transformation unless robust security policies are in place.
“Failing to do so and neglecting to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation and the bond of trust with their customers,” he said.
Bill Evans, senior director of marketing at One Identity, said CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland.
“With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties,” he said. “As stated in the regulation, there are several factors that will go into determining these fines.”
These factors include whether the infringement was intentional or negligent, how many people were affected and how much damage was suffered by them, the type of personal data involved, how the regulating body found out about the infringement, and what steps were taken to mitigate the damage.
“In the worst case, the fines could be up to €20m or 4% of the previous year’s annual revenue, whichever is greater,” said Evans. “It will be interesting to watch as more information is made available about the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery, as this will serve as a bellwether for other companies regarding the importance of compliance with GDPR.”