Today second hand games and electronics store CeX reported that it had been the victim of a massive data breach, issuing a statement to customers saying, “We have recently been subject to an online security breach. We are taking this extremely seriously and wanted to provide you with details of the situation and how it might affect you. We also wanted to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.”
Initially two million registered customers were sent a Q&A to keep them informed and advising them to change their passwords; separate reports say that is is around 2,000 customers who have had their data stolen – including some customer personal information such as first name, surname, addresses, email address and phone number if this was supplied.
CeX also said that any payment card data that may have been stolen in the attack "has long since expired" since it stopped storing financial data in 2009. However the attackers could have taken encrypted data from expired credit and debit cards up to 2009 in a "small number of instances."
The statement from CeX also says that, “We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.”
It also confirmed that a cyber-security specialist has been employed, “... to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.”
Dr Jamie Graves, CEO at ZoneFox emailed SC to comment, , " While customers might be experiencing hacking fatigue with the huge scale and stealth of these types of attacks, its important organisations ramp up their efforts to protect them now more than ever.”
Graves also praised the response, saying, “The way CeX has handled the incident by taking precautionary measures and instructing users of WeBuy.com to change their passwords is exactly how businesses should be handling the situation. The attack shows, once again, how companies of all sizes need to have a holistic approach to security and the need for a 360-degree visibility into what data is being moved around on and off the network. And and what's equally important is that your employees and clients are educated with a security-aware culture instilled to help close any gaps threats look to exploit."
One commentator more critical of CeX is Richard Stiennon, chief strategy officer at Blancco Technology Group who says, "Reading between the lines of the FAQ it is apparent that CEX was not properly salting their stored hashes of passwords. (Salting: adding a long and secret string to every password provided before hashing it) This is indicated by their warnings that simple passwords can easily be cracked and users should change their passwords on the website and any other site they used the same password. Of course individuals should never use the same password on different sites to protect against this very thing."
Bill Evans, VP marketing at One Identity drew attention to the GDPR angle, saying: "As we all know, CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland. With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties. As stated in the regulation, there are several factors that will go into determining these fines including
- Was the infringement intentional or negligent
- The extent of the infringement (eg, how many people were affected and how much damage was suffered by them)
- The type of personal data involved
- How the regulating body found out about the infringement
- What steps were taken to mitigate the damage
“In the worst case, the fines could be the greater of €20,000,000 or four percent of prior year annual revenue. Since CeX is privately owned it's difficult to ascertain its annual revenue.
Regardless, it will be interesting to watch as more information is made available regarding the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery as this will serve as a bellwether for other companies regarding the importance of compliance to GDPR."
Certainly readers of SC would agreed with the observation by Mark James, security specialist at ESET, that, “With more and more of our data ending up floating around the internet, the chance of you receiving a spam or phishing email increases every single day,” and that the sort of information taken is the exactly the info that will be used for future scams - including names and physical addresses that you can't change easily. Plus James points out even the expired data could be used by scammers asking users to update their information, advising, “If you are contacted by phone do not hand over any new info and hang up immediately; be extra wary of emails asking you to validate any info over email or web and if in doubt always ask the originating company for verification before proceeding.”
Another aspect noted by Lee Munson - Security Researcher at Comparitech.com is that although customers are advised to change passwords, “What's interesting, however, is the fact that the company is not forcing a password reset on all of its two million potentially affected customers.” He too warns that the combination of old financial data and current personal data could put customers, “....at risk of receiving personalised phishing emails in the wake of the breach, or even identity theft.”
Munson advises CeX customers stay on their guard and, “....use a password manager to ensure that all their login credentials are hard to crack - and unique to every site they use - and do not respond to requests for further information from anyone appearing to represent the retailer."
Dean Ferrando, systems engineering manager (EMEA) at Tripwire concurs, saying, “ it is still recommended victims continuously monitor their bank accounts. Moments after the breach is often when individuals are most vulnerable which is why we recommend that they double check incoming emails and calls are from vetted sites and number, which will help lessen the likelihood of any identity theft. In general and where possible, customers should also try and activate 2 factor authentication methods as well. Usually once a hacker obtains your confidential information, they usually look to sell it off to 3rd party buyers who then try use those credentials / details against a lot of common services such as gmail, banking etc As a lot of customer do use the same password across sites (a whole different security risk), having 2 factor authentication enabled will make it near impossible for anyone to access other sites using your credentials without you knowing about it.”
Finally, Javvad Malik, security advocate at AlienVault, notes, "The details are scarce, so it's unclear how attackers gained access. Nor is it clear when this incident occurred. However, it is another reminder that all data, particularly customer data needs protecting by companies of all sizes."
"This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It's surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy."