Second-hand goods chain CeX has had its servers hacked with up to two million accounts compromised.
Many consumers use the CeX service to sell and buy videogames in the UK, and are being advised to login and change their passwords.
Some credit and debit card details from customers was stolen in the cyber-attack, though the company is still investigating the extent of the hack.
CeX has issued a statement on the official website, revealing:
“The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.”
They say that an unauthorised third party has accessed the data, and advise users to change their passwords.
Following the CeX hack, the company plans to tighten security.
“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again,” reads the statement.
If also states that all affected customers have been contacted by email.
Matthias Maier, security evangelist at Splunk, contacted PSU to express his concerns about the hacking:
“The theft of data at CEX is an example of how a large breach at one organisation can potentially put other businesses at risk. Users are likely to interchange the same passwords or security questions between employee, customer and personal accounts, leaving multiple organisations vulnerable. The CEX hackers, once they have customer credentials, will test them against other services such as an individual’s email provider or popular ecommerce sites in order to carry out further fraudulent activity."
He continues:
"Businesses need to monitor user login activity and password recovery requests closely over the coming weeks to detect any irregular patterns that could indicate they are being used by a malicious actor. Considered in light of the upcoming GDPR regulation, CEX has seemingly done a good job in informing individuals upfront before the news was made public, limiting the risk of further exposure for them. Now the organisation will be undergoing an extensive incident investigation process to analyse what exact details of affected individuals have been exposed. These answers can be found by analysing the millions of logging records generated by their database and web applications, as long as the data from the time of the original breach was kept. Carrying out this analysis is key to finding out who accessed what, how and when in order to avoid another breach.”
