Retailer CeX has announced it experienced a data breach affecting as many as two million customers. The breach has reportedly compromised the security of personal details including names, addresses, contact details and, in a small number of cases, encrypted expired payment details dating back to 2009.
CeX’s webuy.com customers were sent an email from the company informing them that “an unauthorised third party” had accessed CeX’s computer systems and advised that it was working with the relevant authorities as well as a “cyber security specialist” to prevent further breaches. It is not clear whether the Information Commissioner’s Office (ICO) has been informed but an investigation is likely.
A CeX statement said:
We have recently been subject to an online security breach. We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The advice given to customers is:
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services.
Affected customers are now at risk of receiving phishing emails or even vishing calls as phone numbers (where provided) were also jeopardised.