The UK retailer CEX has been hit by a data breach leaving as many as two million registered website customers at risk, with some encrypted data compromised.
Other information exposed in the data breach includes email addresses, names, phone numbers and addresses. CEX has tried to reassure customers in saying that it has not stored card details of its customers since 2009.
According to CEX it is only website customers that have been impacted by the breach, in-store membership holders do not appear to have been affected in any way.
In a FAQ section dedicated to the breach on the CEX website, it said: “The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.”
Data breaches are falling under ever greater scrutiny as GDPR comes into view at only months away, under which a data breach such as the one in this instance could incur a catastrophic fine if the organisation was found to not be compliant.
At this tense period in terms of data protection and cybersecurity, professionals from across the tech sector have reacted to this most recent, high profile UK data breach.
Every company should get ready for GDPR
Rashmi Knowles, Field CTO at RSA:
“CeX are right to bring in a cyber-security experts to review their processes and with GDPR on the horizon, every company should be looking at doing the same. The GDPR radically expands the definition of Personally Identifiable Information (PII) and will now include areas such as email addresses that previously weren’t covered under the DPA.”
“Every organisation needs to make sure it is clear on what PII data it holds and how such data is being processed or risk being hit with major fines. Not only that, but the clock starts ticking as soon as a breach is reported giving companies just 72 hours to investigate and report on the extent of the damage – for those companies that aren’t crystal clear on their data protection processes, that is going to be simply impossible.”
Keep up with patching
Paul Cant, VP EMEA, BMC Software said:
“With online retailers in possession of a wealth of personal customer data, it is no surprise that hackers are increasingly targeting them as they struggle to keep up with patching vulnerabilities.”
“It is therefore critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it – fast – thus preventing a serious breach like this before it happens… As retailers continue on their digital journey, and with the GDPR fast approaching, more and more customer assets will be at risk during this transformation, unless robust security policies are in place.”
“Failing to do so and negating to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation, and the bond of trust with their consumers.”
Do not succumb to breach fatigue
Raj Samani, Chief Scientist and Fellow at McAfee said:
“Given the increasing amount of reported data breaches, it would be simple to shrug off the news that CeX has reported a security breach as just another in a long line of companies impacted by digital crime.”
“However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them… This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CeX implemented the appropriate controls, we should be careful before apportioning any blame.”
“One lesson is clear however, anytime you are asked for your personal data either online or offline, question whether you want yet another party to become responsible for keeping it safe.”
Bill Evans – One Identity said: “As we all know, CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland. With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties.”
“In the worst case, the fines could be the greater of 20,000,000 Euros or 4% of prior year annual revenue. Since CeX is privately owned it’s difficult to ascertain its annual revenue.”
“Regardless, it will be interesting to watch as more information is made available regarding the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery as this will serve as a bellwether for other companies regarding the importance of compliance to GDPR.”
Breaches lead to phishing and spam
Mark James – Security Specialist at ESET said:
“Any data breach is bad news. With more and more of our data ending up floating around the internet, the chance of you receiving a spam or phishing email increases every single day. The information taken during this breach was personal data and passwords of up to two million customers. CEX stated “customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack” and as usual this is the exactly the info that will be used for future scams- with some info like names and physical addresses, being personal data that you can’t change easily.”
“It’s interesting to note that they stated that Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a “small number of instances.” However, any payment card data that may have been stolen in the attack “has long since expired” since they stopped storing financial data in 2009- but how many of the public actually know that? If an unsuspecting user received some correspondence to update their credit card details and used the old info as a qualifier there could be a few who may fall for it!”
Victims must change passwords immediately
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire said:
“To reduce further exploitation, victims must change their passwords immediately. Although, CeX state that financial data taken would have since expired, it is still recommended victims continuously monitor their bank accounts. Moments after the breach is often when individuals are most vulnerable which is why we recommend that they double check incoming emails and calls are from vetted sites and number, which will help lessen the likelihood of any identity theft. In general and where possible, customers should also try and activate 2 factor authentication methods as well.”
“A lot of companies provide the functionality for 2 factor authentication but do not advertise it very clearly. Usually once a hacker obtains your confidential information, they usually look to sell it off to 3rd party buyers who then try use those credentials / details against a lot of common services such as gmail, banking etc As a lot of customer do use the same password across sites (a whole different security risk), having 2 factor authentication enabled will make it near impossible for anyone to access other sites using your credentials without you knowing about it.”
CEX is not forcing a password reset
Lee Munson – Security Researcher at Comparitech.com said:
“What’s interesting, however, is the fact that the company is not forcing a password reset on all of its two million potentially affected customers.”
“Perhaps CeX thinks the fact that the stolen and encrypted credit and debit card details are from 2009 or earlier means its customers have nothing to worry about?”
“Of course, the opposite is true – it wasn’t just card data that was swiped but personal information too. That means fans of second-hand games and electronics may be at risk of receiving personalised phishing emails in the wake of the breach, or even identity theft.”
“Thus, it is vital that CeX customers stay on their guard, use a password manager to ensure that all their login credentials are hard to crack – and unique to every site they use – and do not respond to requests for further information from anyone appearing to represent the retailer.”