UK chain Cash Converters has warned customers that it has suffered a data breach which could have revealed personal details.
The high street pawnbroker confirmed that a third party had potentially accessed a database of customer accounts on its old UK website. Usernames, passwords and customer addresses are all thought to be affected in the breach,
Cash Converters said that its old website was replaced back in September 2017, and that the breach only affected users who had an account on this older entity. Customers who only visited a physical store were not affected, and no credit card details are thought to have been taken.
It's not known how many customers may have been affected by the breach, but Cash Converters told the BBC it was taking the breach "extremely seriously" and had reported it to the ICO, which may hit it with a fine if found to be negligent in its data protection.
In a statement, the company said, "Our customers truly are at the heart of everything we do, and we are disappointed that they may have been affected," the company said in a statement."
"We apologise for this situation and are taking immediate action to address it."
The news immediately drew a reaction from the wider cybersecurity industry, which noted that this breach is only the latest in a series of recent incidents.
“While many Cash Converters customers may be wondering if their username and password is among the stash of stolen data, the fact is that the stolen credentials shouldn’t give any cause for concern – if basic cyber hygiene procedures were followed," said Andre Stewart, VP EMEA at Netskope.
“Wherever possible, organisations must make end users aware of basic cyber hygiene, steering them towards safe courses of action – including regular password updates. After all, each new hack can release a treasure trove of user details in the form of usernames, passwords and other information which can then be used to access other online services. When the same credentials are used across multiple accounts, these breaches can expose data in many different cloud apps and services at the same time. This creates a significant risk to the enterprise because passwords used in simple personal applications are all too often used for data critical applications at work."