Hackers have broken into the systems of gaming store CEX and stolen the details of two million customers, including personal information and some financial data.
Bill Evans, senior director of marketing at One Identity, said CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the United Kingdom and the European mainland.
‘Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again, ‘ which is expected.
Personal details including first name, surname, address, email address and phone number have been accessed – and in some cases, passwords were also lifted.
British computer security expert Graham Cluley writes, ‘What I find unusual, is that it appears CeX is dodging the question as to why it has not itself reset customer passwords as a precaution, rather than asking users to log in and do it themselves’.
It now appears the data breach only affects those who have made online transactions through the CEX website, and not the data of those who created in-store membership cards.
“We have recently be subject to an online security breach”, said CEX.
Following the breach, CeX admitted that even though they had a robust security programme in place, additional measures were required to prevent such a sophisticated attack.
The company also has stores all over the world, in countries such as the U.S., the UK, Australia, India, Spain, the Netherlands, and several others.
The retailer is contacting all customers who are directly affected by the breach, which only affects the online arm of the company. GDPR will become United Kingdom law before Brexit and firms could face fines of up to £17 million or four percent of global turnover if adequate measures are not taken.
The company said it started notifying affected users via email.
“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored”. However it’s unlikely that any payment information was taken, says CeX, as the company ceased storing customer card details in 2009.
“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes”.