Security Panel: What Can We Learn From CeX Data Breach?
Experts give their view on the CeX data breach and how firms can minimise the damage if something similar happened to them
Earlier today, second had entertainment retailer confirmed it had suffered a data breach that compromised the personal information of two million online customers. You can read more here, but what can our security panel take from the incident?
Raj Samani, chief scientist, McAfee Labs
“Given the increasing amount of reported data breaches, it would be simple to shrug off the news that CeX has reported a security breach as just another in a long line of companies impacted by digital crime. However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them.
“This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CeX implemented the appropriate controls, we should be careful before apportioning any blame.
“One lesson is clear however, anytime you are asked for your personal data either online or offline, question whether you want yet another party to become responsible for keeping it safe.”
Mark James, security specialist at ESET
“It’s interesting to note that they stated that Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a ‘small number of instances’. However, any payment card data that may have been stolen in the attack ‘has long since expired’ since they stopped storing financial data in 2009 – but how many of the public actually know that? If an unsuspecting user received some correspondence to update their credit card details and used the old info as a qualifier there could be a few who may fall for it!”
Javvad Malik, AlienVault
“The details are scarce, so it’s unclear how attackers gained access. Nor is it clear when this incident occurred. However, it is another reminder that all data, particularly customer data needs protecting by companies of all sizes.”
“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It’s surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy.”
“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes.”
Jamie Fox, CEO ZoneFox
“The way CeX has handled the incident by taking precautionary measures and instructing users of WeBuy.com to change their passwords is exactly how businesses should be handling the situation. The attack shows, once again, how companies of all sizes need to have a holistic approach to security and the need for a 360-degree visibility into what data is being moved around on and off the network. And and what’s equally important is that your employees and clients are educated with a security-aware culture instilled to help close any gaps threats look to exploit.”
Rashmi Knowles, Field CTO at RSA
“CeX are right to bring in a cyber-security experts to review their processes and with GDPR on the horizon, every company should be looking at doing the same. The GDPR radically expands the definition of Personally Identifiable Information (PII) and will now include areas such as email addresses that previously weren’t covered under the [Data Protection Act].”