A cyber-attack on Electronics retailer CeX has compromised personal data of up to 2 million customers, the company has confirmed.
Hackers walked away with names, addresses and phone numbers of 2 million CeX customers but no financial details were stolen.
In an e-mail to affected customers on Tuesday, electronics retailer CeX confirmed that they had suffered an online security breach that compromised personal data belonging to millions of customers.
Hackers behind the cyber-attack could not get their hands on any financial data but managed to compromise encrypted data from expired credit or debit cards that CeX stored prior to 2009.
Data compromised by the hackers includes first names, surnames, addresses, email addresses and phone numbers of registered CeX customers. Following the breach, CeX admitted that even though they had a robust security programme in place, additional measures were required to prevent such a sophisticated attack. The same have been implemented by the retailer with the help of a cyber security specialist.
CeX has advised all registered users to immediately change the passwords for their webuy online accounts and to ensure that the old passwords weren't used in any other accounts.
"Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password," the retailer said.
The retailer is now working with the police and other relevant authorities to find out who conducted the cyber-attack and exactly how much data was stolen.
The CeX hack is yet another example of hackers targeting company servers that store personal details of millions of customers. In this case, CeX's security programme has been found wanting and this has resulted in an irretrievable loss of sensitive personal data of their customers.
'It is therefore critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it – fast – thus preventing a serious breach like this before it happens,' says Paul Cant, VP EMEA at BMC Software.
'As retailers continue on their digital journey, and with the GDPR fast approaching, more and more customer assets will be at risk during this transformation, unless robust security policies are in place.
'Failing to do so and negating to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation, and the bond of trust with their consumers,” he adds.
The government is planning to introduce a new data protection law this summer in the lines of Europe's General Data Protection Regulation. The law will bring in stringent guidelines on how companies will manage and store sensitive customer data and will also empower citizens with the right to get their personal data deleted from company servers.
If any company fails to comply with the new law, resulting in a breach that compromises customer data, the Information Commissioner's Office will have the power to issue fines of up to £17m, or 4% of the company's global turnover.