E-commerce and auction website Cash Converters suffered a major data breach after hackers gained access to a decommissioned website that stored account names, passwords, and delivery addresses of webshop customers.
Cash Converters said the recent data breach compromised personal information of customers both in Australia and the UK.
After Cash Converters discovered the breach, it wrote to all affected customers in Australia as well as in the UK, informing them about the scale of the breach and that it is taking steps to ensure such incidents do not occur again.
'Please be reassured that – alongside the relevant authorities – we are investigating this as a matter of urgency and priority. We are also actively implementing measures to ensure that this cannot happen again,' the letter read.
'Although some details relating to the cybersecurity breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.
"The current webshop site was independently and thoroughly security tested as part of its development process. We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this,' Cash Converters added.
The firm also said that hackers were only able to get their hands on partial credit card numbers, which implies that while they may hold personal data like names and addresses belonging to customers, they may not be able to commit credit card fraud or other kinds of financial malfeasance. According to a report from Australia, the stolen data is being held for ransom by the said hackers.
In response to the breach, Cash Converters has reset passwords for all Webshop accounts and has also asked affected customers to change their passwords immediately to ensure the security of their accounts.
All that we know about the breached website is that it contained account names, passwords, and delivery addresses of Cash Converter's webshop customers and that it was decommissioned in September this year. TThe firm said it will reveal full details about the breach and how much data was lost/recovered after an in-depth investigation on the breach is completed.
With so many breaches occuring in the past 12 months, Carl Leonard, Principal Security Analyst at Forcepoint, terms the Cash Converters data breach as 'just another embodiment of the threat environment that businesses are facing every day'.
'While the breach is only affecting customers on the company’s old website, there has never been more pressure on enterprises, regardless of sector, to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.
'Companies need to adapt and update legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of users, data and systems can become the critical point for effective security and compliance. In doing so, businesses can protect their customers and, crucially, their reputation against the ever increasingly threat of cybercrime,' he adds.