CEX Hacked – Two Million Customer Details Stolen

Published on September 6, 2017

The  second-hand electronics and video game store CEX have reportedly been hacked, and as many as two million customer details may have been stolen.

What Happened?

Hackers breached online security for CEX’s WeBuy.com online shop and were able to steal two million customer details. The details stolen are believed to include names, addresses, email addresses, some phone numbers, and a small number of encrypted credit card details. CEX has said that the credit / debit card information dated back to 2009 and any cards left on the system would have long-since expired.

CEX described the hack as a “sophisticated breach”.

Hashed Passwords Taken

Passwords were also reported to have been taken although they were hashed. It is still, however, possible that weak passwords could be broken.

Security Measures?

The company has stated that they had a robust and regularly updated security programme in place at the time of the breach, but have acknowledged that additional security measures were required to prevent the kind of hack that took place.

The company has stated that since the breach it has hired a cyber security specialist to review its systems and to implement extra defences.

CEX also has bricks and mortar stores, but customer details from these were not taken by the hackers because they are handled separately to WeBuy.com customer details.

About CEX : Buy with Bitcoin

Electronics and video game retailer CEX was founded in 1992 and now has physical stores in 11 countries including the UK, USA and Australia. CEX customers can buy and exchange technology products such as mobile phones and video games, and the company WeBuy.com provided the first online marketplace where customers could do this. It is also interesting to note that shoppers are able to pay with the crypto currency bitcoin in CEX’s UK stores.

Another High Profile Hack This Week

CEX was not the only high profile company targeted by hackers this week. A bug in the Facebook-owned social media platform Instagram reportedly made the personal details of six million users publicly accessible. As a result, email addresses and phone numbers have reportedly been harvested by hackers and there are reports of them now being sold on the dark web.

Instagram has since announced that it is working with law enforcement, the bug has been fixed, and that no passwords were stolen in the incident. Instagram has also advised customers to be vigilant about the security of their account, and to be cautious if they observe any suspicious activity e.g. unrecognised incoming calls, texts, or emails.

What Does This Mean For Your Business?

These hacks underline the importance of keeping a robust cyber and data security protection programme in place. This should start from basic activities such as keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities), and should extend to training employees in cyber security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter. Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network. It is also important to have workable, updated Business Continuity and Disaster Recovery Plans in place.

As business users of online services we should all remember to take precautions such as not revealing passwords, Pins, or ID numbers to anyone, not using the same password for multiple sites, not opening emails (with attachments) from unknown sources, and not clicking on links from unknown sources.