CEX suffers security breach, up to two million customers may be affected

CeX data breach impacts two million UK accounts

Second-hand games and electronics retailer CeX has warned that the personal details of up to 2 million customers have been compromised in an "sophisticated" data breach. However, there's no indication that in-store personal membership information has been exposed in the breach.

Data breaches have affected a number of online retailers in the past and they could be subject to larger fines in the future once the EU's GDPR legislation comes into force in 2018.

It is working with authorities, including the police, to investigate, it says. It also owns a limited number of stores in the US. The company said it stopped collecting this information in 2009, so even if the encryption is broken, the damage should be minimal.

Data stolen includes names, addresses, email addresses, phone numbers, and encrypted data from credit and debit cards (these are expired and the data is from 2009 and earlier, it says).

Affected customers have been sent an email offering guidance, and in-store data was not been affected.

Customer are now being advised to change their passwords - particularly ones that are used on both CeX and other websites. Never the less, the chain has told people to change the passwords on their account and any other services that use the same log-in details. "One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy".

Mullins continued, stating that, 'Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again, ' which is expected.

"The attack shows, once again, how companies of all sizes need to have a holistic approach to security and the need for a 360-degree visibility into what data is being moved around on and off the network", he added.