Two million shoppers have been told to change their passwords after a tech retailer suffered from a hack. CeX, a technology and video games retailer, has now confirmed that data of its two million customers may have been compromised. "We have recently been subject to an online security breach," the company announced in a statement without sharing any details of the attack itself.
Leaked information includes names, shipping and billing addresses, email addresses, and phone numbers of its customers. "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009," the company behind WeBuy.com warned. "No further financial information has been shared."
CeX stressed that the current financial data hasn't been compromised. "We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009," it said. It isn't immediately clear why the company was storing expired financial data and not the current one.
CeX says "password wasn't stored in plain text but could be determined by a third party"
The technology retailer operates in over 350 stores in the UK, along with 100 overseas shops, including some in the United States, Australia, and India. The company also runs WeBuy.com which is one of the most popular online marketplaces to buy and sell technology goods, DVDs, old music, and games.
The company said that the "sophisticated attack" targeted its UK website which appears to have happened late last year, adding that it "received communication from a third party claiming to have access to some of our online UK website data" earlier this month.
The retailer has informed the Information Commissioners Office (ICO) and the National Crime Agency (NCA) "who are in the process of investigating," and assured that its "cyber security specialists have implemented additional, advanced security measures to prevent this from happening again."
It appears that not all of its customers have been affected by this breach.
We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage.
CeX is urging customers to change their online passwords as a "precautionary measure." The retailer has mentioned that the passwords weren't stored in plain text, but doesn't add any details of the hashes used.
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services.
Since the breach doesn't affect everyone, those who do not receive an official warning to change their passwords can assume their data wasn't stolen. In any case, changing your password is recommended.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement. "Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes."
