Retailer CeX has suffered an online security breach. In an email to customers this morning, the retailer said it was investigating the breach "as a priority" and promised it was "taking a number of measures to prevent this from happening again."
According to the email from managing director David Mullins, the breach was a result of an unauthorised third party accessing CeX's computer systems. Consequently, CeX believes that "some customer data has been compromised" including personal information such as first names, surnames, addresses, email addresses and phone numbers if they were supplied.
For "a small number of customers," it also says the breach may extend to encrypted data from expired credit or debit cards up to 2009. However it's unlikely that any payment information was taken, says CeX, as the company ceased storing customer card details in 2009.
The extend of the damage is currently unknown, but CeX said it is contacting up to two million of its registered website customers who might be affected. As for in-store customers, CeX said it currently has "no indication that in-store personal membership information has been compromised."
"We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you," Mullins said in the email.
"This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again."
In the mean time, CeX is urging customers to change their password for their Webuy online account. If customers have used the same password elsewhere, CeX says it would also be a good idea to change these as well as a precaution.
"Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services," the email said. "As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."