News broke that second-hand electronics retailer CeX suffered a massive “online security breach” compromising the personal data and passwords of up to two million customers. The UK retailer said customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack that saw “an unauthorised third party” illegally access its computer systems. IT security experts commented below.
Bill Evans at One Identity:
“As we all know, CeX is a pan-European retailer collecting and storing data on EU citizens as it transacts business across the UK and the European mainland. With GDPR looming, I wonder what this sort of breach would bring to CeX in terms of penalties. As stated in the regulation, there are several factors that will go into determining these fines including
Was the infringement intentional or negligent
The extent of the infringement (e.g., how many people were affected and how much damage was suffered by them)
The type of personal data involved
How the regulating body found out about the infringement
What steps were taken to mitigate the damage
In the worst case, the fines could be the greater of 20,000,000 Euros or 4% of prior year annual revenue. Since CeX is privately owned it’s difficult to ascertain its annual revenue.
Regardless, it will be interesting to watch as more information is made available regarding the safeguards put in place by CeX prior to the breach and the details of its response immediately after discovery as this will serve as a bellwether for other companies regarding the importance of compliance to GDPR.”
Mark James, Security Specialist at ESET:
“Any data breach is bad news. With more and more of our data ending up floating around the internet, the chance of you receiving a spam or phishing email increases every single day. The information taken during this breach was personal data and passwords of up to two million customers. CEX stated “customers’ names, physical addresses, email addresses and phone numbers were compromised in the attack” and as usual this is the exactly the info that will be used for future scams- with some info like names and physical addresses, being personal data that you can’t change easily.
It’s interesting to note that they stated that Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a “small number of instances.” However, any payment card data that may have been stolen in the attack “has long since expired” since they stopped storing financial data in 2009- but how many of the public actually know that? If an unsuspecting user received some correspondence to update their credit card details and used the old info as a qualifier there could be a few who may fall for it!
As with any of these causes, always check any account info and passwords associated with the company that has been breached. Change your passwords immediately and be aware of anyone contacting you relating to the info stolen. If you are contacted by phone do not hand over any new info and hang up immediately; be extra wary of emails asking you to validate any info over email or web and if in doubt always ask the originating company for verification before proceeding.”
Lee Munson, Security Researcher at Comparitech.com:
“Following the breach at second-hand electronics company CeX, the almost usual response gives customers the exceedingly good advice of changing their passwords, both for the firm’s webuy.com website and anywhere else they have reused the same credentials.
What’s interesting, however, is the fact that the company is not forcing a password reset on all of its two million potentially affected customers.
Perhaps CeX thinks the fact that the stolen and encrypted credit and debit card details are from 2009 or earlier means its customers have nothing to worry about?
Of course, the opposite is true – it wasn’t just card data that was swiped but personal information too. That means fans of second-hand games and electronics may be at risk of receiving personalised phishing emails in the wake of the breach, or even identity theft.
Thus, it is vital that CeX customers stay on their guard, use a password manager to ensure that all their login credentials are hard to crack – and unique to every site they use – and do not respond to requests for further information from anyone appearing to represent the retailer.”
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire:
“To reduce further exploitation, victims must change their passwords immediately. Although, CeX state that financial data taken would have since expired, it is still recommended victims continuously monitor their bank accounts. Moments after the breach is often when individuals are most vulnerable which is why we recommend that they double check incoming emails and calls are from vetted sites and number, which will help lessen the likelihood of any identity theft. In general and where possible, customers should also try and activate 2 factor authentication methods as well. A lot of companies provide the functionality for 2 factor authentication but do not advertise it very clearly. Usually once a hacker obtains your confidential information, they usually look to sell it off to 3rd party buyers who then try use those credentials / details against a lot of common services such as gmail, banking etc As a lot of customer do use the same password across sites (a whole different security risk), having 2 factor authentication enabled will make it near impossible for anyone to access other sites using your credentials without you knowing about it.”
Gavin Millard, technical director at Tenable Network Security:
“Today’s reality is that sites are often breached with personal data compromised. But having robust protection to that data, such as salting and hashing, in case of a loss should be the standard for any site that stores private information.
Web application flaws can now be effortlessly checked via automated tools and the data behind the applications easy to steal with the right vulnerability available to an attacker. As cyber criminals become more sophisticated, so too do our defences. It’s important that organisations understand their cyber risk on external sites and address the easily exploitable issues before a data loss event occurs.”
Rashmi Knowles, Field CTO EMA at RSA:
“CeX are right to bring in a cyber-security experts to review their processes and with GDPR on the horizon, every company should be looking at doing the same. The GDPR radically expands the definition of Personally Identifiable Information (PII) and will now include areas such as email addresses that previously weren’t covered under the DPA. Every organisation needs to make sure it is clear on what PII data it holds and how such data is being processed or risk being hit with major fines. Not only that, but the clock starts ticking as soon as a breach is reported giving companies just 72 hours to investigate and report on the extent of the damage – for those companies that aren’t crystal clear on their data protection processes, that is going to be simply impossible.”
Matthias Maier, Security Evangelist at Splunk:
“The theft of data at CEX is an example of how a large breach at one organisation can potentially put other businesses at risk. Users are likely to interchange the same passwords or security questions between employee, customer and personal accounts, leaving multiple organisations vulnerable. The CEX hackers, once they have customer credentials, will test them against other services such as an individual’s email provider or popular ecommerce sites in order to carry out further fraudulent activity.
Businesses need to monitor user login activity and password recovery requests closely over the coming weeks to detect any irregular patterns that could indicate they are being used by a malicious actor. Considered in light of the upcoming GDPR regulation, CEX has seemingly done a good job in informing individuals upfront before the news was made public, limiting the risk of further exposure for them. Now the organisation will be undergoing an extensive incident investigation process to analyse what exact details of affected individuals have been exposed. These answers can be found by analysing the millions of logging records generated by their database and web applications, as long as the data from the time of the original breach was kept. Carrying out this analysis is key to finding out who accessed what, how and when in order to avoid another breach.”
Raj Samani, Chief Scientist and Fellow at McAfee:
raj_samani“Given the increasing amount of reported data breaches, it would be simple to shrug off the news that CeX has reported a security breach as just another in a long line of companies impacted by digital crime.
However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them.
This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CeX implemented the appropriate controls, we should be careful before apportioning any blame.
One lesson is clear however, anytime you are asked for your personal data either online or offline, question whether you want yet another party to become responsible for keeping it safe.”
Javvad Malik, security advocate at AlienVault:
Javvad Malik“The details are scarce, so it’s unclear how attackers gained access. Nor is it clear when this incident occurred. However, it is another reminder that all data, particularly customer data needs protecting by companies of all sizes.”
“This protection includes, not only having threat detection and response capabilities, but also to look at the appropriateness of the data that is stored. It’s surprising that CeX still stored customer card details prior to 2009. One would struggle to think of a legitimate business reason for storing expired card details and would appear to go against the Data Protection Act principles of adequacy and relevancy.”
“With GDPR looming, it is essential that companies take a hard look at the data it stores and processes and for what purposes.”
Paul Cant, VP EMEA at BMC Software:
“With online retailers in possession of a wealth of personal customer data, it is no surprise that hackers are increasingly targeting them as they struggle to keep up with patching vulnerabilities.
It is therefore critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it – fast – thus preventing a serious breach like this before it happens.
As retailers continue on their digital journey, and with the GDPR fast approaching, more and more customer assets will be at risk during this transformation, unless robust security policies are in place.
Failing to do so and negating to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation, and the bond of trust with their consumers.”