Content, Breach, Channel markets, EMEA, Europe

Online UK Retailer CeX Data Breach: 2 Million Users


CeX, a U.K.-based retailer of second hand goods, said up to two million of its online customers have had their data stolen in a security breach of its systems.

It wasn’t the only substantial cyber heist of the day: Another security attacker hit Swedish ISP Loopia and reportedly stole parts of its customer database (via

The 25-year old CeX, which also runs the website and specializes in technology, computing and video game buying and selling, said it is currently contacting online users whose personal data has been pilfered.

CeX said the data breach is confined to its registered online customers and that it had “no indication” that in-store membership information was involved in the break-in. Of the company’s 470 stores worldwide, 320 are located in the U.S., followed by Spain with 60 outlets. There are 14 CeX locations in the U.S.

“We have recently been subject to an online security breach," CeX said in a posted Q&A addressed to customers. “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again."

One silver lining is that CeX no longer collects and stores bank card data from customer purchases so while the intruder’s heist yielded it names, addresses, email and phone numbers, it made off with encrypted credit/debit card data not updated since 2009. CeX said only a “small amount of encrypted data” from expired bank cards may have been compromised.

Curiously, the retailer isn’t requiring customers to change their passwords, limiting its advice to a recommendation to do so, including all online accounts using the same sign-on information.

“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services,” the company told customers. “As such, as a precautionary measure, we advise customers to change their password across other services where they may have reused their WeBuy website password."

In the breach’s wake, CeX admitted that it needed to take “additional measures” to safeguard customer data from future cyber robbery attempts. The retailer said it has already hired a cybersecurity specialist to review its processes and has installed advanced security “to prevent this from happening again.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.