CeX Admits Data Breach Could Impact 2m Online Customers

Entertainment retailer CeX has admitted a data breach which saw the personal information of as many as two million of its online customers stolen.

The firm, founded as ‘Computer Exchange’ on London’s Tottenham Court Road in 1992, has more than 350 stores in the UK. However none of these have been affected and the in-store personal membership information has been compromised.

“We have recently been subject to an online security breach,” CeX told customers. “We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.”

CeX data breach

CeX says it is unclear who accessed the data, but suggests first name, surname, addresses, email address and phone numbers of customers of ‘webuy.com’ have been stolen.

It adds that although passwords were encrypted, users should change these in case they are not complex enough not to be cracked.

There is also a chance that payment information has been stolen, although this is limited to expired credit and debit card details. CeX stopped storing financial data in 2009, so anything used after that date should be fine.

“We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats,” CeX added.

“Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”

If customers haven’t been emailed, they are unaffected.

Loading ...

GDPR future

Data breaches have affected a number of online retailers in the past and they could be subject to larger fines in the future once the EU’s GDPR legislation comes into force in 2018. GDPR will become UK law before Brexit and firms could face fines of up to £17 million or four percent of global turnover if adequate measures are not taken.

“It is another reminder that all data, particularly customer data needs protecting by companies of all sizes,” said Javvad Malik from security firm AlienVault.

“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It’s surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy.”

“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes.”

Quiz: What do you know about cybersecurity in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

4 mins ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

34 mins ago

Hong Kong Research Group Trains AI Model With Huawei Chips

Hong Kong-based AI research institute uses Huawei Ascend 910B chips to train latest model, as…

1 hour ago

Investors Shocked As Temu Parent Misses Estimates

Temu and Pinduoduo parent company PDD Holdings misses analysts' estimates as economic slowdown in China…

2 hours ago

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago