CeX data breach - the industry reacts

Another major UK retailer has been shown up for its lack of proper security protection this week after second-hand electronics and gaming company CeX confirmed it had been hit by a major data breach.

The details of around two million CeX customers, including personal information such as credit card details, are thought to be affected - although the company has not stored any card information since 2009, meaning many of the details may now be expired.

CeX is the latest in a line of major companies to have now been affected by a serious security issue, so what do industry experts have to say about this latest incident?

Raj Samani, chief scientist and fellow at McAfee

“Given the increasing amount of reported data breaches, it would be simple to shrug off the news that CeX has reported a security breach as just another in a long line of companies impacted by digital crime. 

However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them.  

This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CeX implemented the appropriate controls, we should be careful before apportioning any blame.  

One lesson is clear however, anytime you are asked for your personal data either online or offline, question whether you want yet another party to become responsible for keeping it safe.”

Paul Cant, VP EMEA, BMC Software

 “With online retailers in possession of a wealth of personal customer data, it is no surprise that hackers are increasingly targeting them as they struggle to keep up with patching vulnerabilities.

 It is therefore critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritise it against other threats and fix it – fast – thus preventing a serious breach like this before it happens.

 As retailers continue on their digital journey, and with the GDPR fast approaching, more and more customer assets will be at risk during this transformation, unless robust security policies are in place.

 Failing to do so and negating to comply with this new regulation could result in companies facing not only huge financial penalties, but also irreversible negative consequences for their reputation, and the bond of trust with their consumers.”

Mark James, security specialist at ESET

“Any data breach is bad news. With more and more of our data ending up floating around the internet, the chance of you receiving a spam or phishing email increases every single day. The information taken during this breach was personal data and passwords of up to two million customers. CEX stated “customers' names, physical addresses, email addresses and phone numbers were compromised in the attack” and as usual this is the exactly the info that will be used for future scams- with some info like names and physical addresses, being personal data that you can’t change easily.

It’s interesting to note that they stated that Hackers may have also swiped encrypted data from expired credit and debit cards up to 2009 in a "small number of instances." However, any payment card data that may have been stolen in the attack "has long since expired" since they stopped storing financial data in 2009- but how many of the public actually know that? If an unsuspecting user received some correspondence to update their credit card details and used the old info as a qualifier there could be a few who may fall for it!

As with any of these causes, always check any account info and passwords associated with the company that has been breached. Change your passwords immediately and be aware of anyone contacting you relating to the info stolen. If you are contacted by phone do not hand over any new info and hang up immediately; be extra wary of emails asking you to validate any info over email or web and if in doubt always ask the originating company for verification before proceeding.”

Matthias Maier, security evangelist at Splunk 

“The theft of data at CEX is an example of how a large breach at one organisation can potentially put other businesses at risk. Users are likely to interchange the same passwords or security questions between employee, customer and personal accounts, leaving multiple organisations vulnerable. The CEX hackers, once they have customer credentials, will test them against other services such as an individual’s email provider or popular ecommerce sites in order to carry out further fraudulent activity.

Businesses need to monitor user login activity and password recovery requests closely over the coming weeks to detect any irregular patterns that could indicate they are being used by a malicious actor. Considered in light of the upcoming GDPR regulation, CEX has seemingly done a good job in informing individuals upfront before the news was made public, limiting the risk of further exposure for them. Now the organisation will be undergoing an extensive incident investigation process to analyse what exact details of affected individuals have been exposed. These answers can be found by analysing the millions of logging records generated by their database and web applications, as long as the data from the time of the original breach was kept. Carrying out this analysis is key to finding out who accessed what, how and when in order to avoid another breach.”

Rashmi Knowles, Field CTO EMEA at RSA

“CeX are right to bring in a cyber-security experts to review their processes and with GDPR on the horizon, every company should be looking at doing the same. The GDPR radically expands the definition of Personally Identifiable Information (PII) and will now include areas such as email addresses that previously weren’t covered under the DPA. Every organisation needs to make sure it is clear on what PII data it holds and how such data is being processed or risk being hit with major fines. Not only that, but the clock starts ticking as soon as a breach is reported giving companies just 72 hours to investigate and report on the extent of the damage – for those companies that aren’t crystal clear on their data protection processes, that is going to be simply impossible.”

Richard Stiennon, chief strategy officer at Blancco Technology Group

"From CEX's statement we know that they claim to have stopped recording financial information of its users in 2009. At that time they should have also erased all existing financial information they stored. They obviously made an informed decision that they did not need to store it. A data retention policy, properly implemented, would have reduced the impact of this massive breach. Only the most secure ecommerce sites (like Amazon's Click-once-to purchase) should ever store full credit card information. CEX tries to absolve themselves from liability by downplaying the breach because any credit card info stolen would be expired after 8 years.  But keep in mind that the attacker now knows which credit card each member had in 2009 and before. That may single them out for additional targeting of their accounts.

Reading between the lines of the FAQ it is apparent that CEX was not properly salting their stored hashes of passwords. (Salting: adding a long and secret string to every password provided before hashing it) This is indicated by their warnings that simple passwords can easily be cracked and users should change their passwords on the website and any other site they used the same password. Of course individuals should never use the same password on different sites to protect against this very thing.

CEX should immediately beef up their security. They should add salted hashes. And they should review their data protection procedures and policies.  They only have a few months before GDPR goes into effect and could be subject to gigantic fines for not having proper practices in place."