CeX, a U.K.-based retailer of second hand goods, said up to two million of its online customers have had their data stolen in a security breach of its systems.
It wasn’t the only substantial cyber heist of the day: Another security attacker hit Swedish ISP Loopia and reportedly stole parts of its customer database (via BleepingComputer.com).
The 25-year old CeX, which also runs the WeBuy.com website and specializes in technology, computing and video game buying and selling, said it is currently contacting online users whose personal data has been pilfered.
CeX said the data breach is confined to its registered online customers and that it had “no indication” that in-store membership information was involved in the break-in. Of the company’s 470 stores worldwide, 320 are located in the U.S., followed by Spain with 60 outlets. There are 14 CeX locations in the U.S.
“We have recently been subject to an online security breach," CeX said in a posted Q&A addressed to customers. “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again."
One silver lining is that CeX no longer collects and stores bank card data from customer purchases so while the intruder’s heist yielded it names, addresses, email and phone numbers, it made off with encrypted credit/debit card data not updated since 2009. CeX said only a “small amount of encrypted data” from expired bank cards may have been compromised.
Curiously, the retailer isn’t requiring customers to change their passwords, limiting its advice to a recommendation to do so, including all online accounts using the same sign-on information.
“Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services,” the company told customers. “As such, as a precautionary measure, we advise customers to change their password across other services where they may have reused their WeBuy website password."
In the breach’s wake, CeX admitted that it needed to take “additional measures” to safeguard customer data from future cyber robbery attempts. The retailer said it has already hired a cybersecurity specialist to review its processes and has installed advanced security “to prevent this from happening again.”