Two million customer records pillaged in IT souk CeX hack attack Second-hand electronics dealership CeX says two million customers may have had their personal information swiped by hackers. Several Reg readers dropped us a line after receiving an email from the Brit biz that informed them their personal details including first name, surname, address, email address and phone number had been …
"The data loss came as part of an "online security breach" – its in-store terminals weren't affected. That'll be a relief to those using the stores, since credit card-slurping point-of-sale malware is becoming increasingly common, particularly in the US."
US consumers have resisted chip-and-pin because they think it's slower than swiping. Also, merchants with chip-and-pin compatible terminals will often tell people to swipe rather than insert the card.
Morons.
If you read their email properly it isn't their system but your password:
"Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password"
Just standard advice really although it may imply they were hashed but not salted, at least not a per user salt. It is easy for people to scoff but remember many of these accounts could be years old and md5 was once considered good enough. Yes CEX have got wrong but at least they have fessed up.
It's about time we had a ratings scheme like the Food Hygiene Standards star scheme, that they have to display their rating in their shops and websites. Then we can decide if we want to deal with them.
Keeping old data and MD5 only would get them a one out of a possible five star rating and nobody would touch them.
I had 213 addresses reported for my personal domain.
Over 200 of them were randomly-generated, "guessed" stuff like admin@, billing@, sales@ (none of which existed), some German ones (direktor@, sekretariat@) and a bunch of usenet post-IDs. Less than 10 were recognisable and most of these were associated with previous vendor leaks.
711 million addresses maybe, but nowhere near that number will be real or valid. Remember, this is something the spammers were using to send mail, so they didn't care about validity.
"Some credit and debit card data was also slurped, but CeX says that's not a problem because the store stopped taking that data in 2009,"
Why were they keeping credit card data? And more importantly, why have they STILL got that data from 7 or more years ago, especially since they now don't collect/keep that same data?
Why were they keeping credit card data? And more importantly, why have they STILL got that data from 7 or more years ago, especially since they now don't collect/keep that same data?
Valid questions. They fessed up, though, admitted fault, AND hired a cybersecurity expert ... what more do you want ? To others not yet raided, John Brown is right, check your data retention processes, now!
If you can, use per user salted hashed passwords, if you cannot, listen, you need to!
Never retain credit card data, except where there is no other way, salt/hash the card data. (Some stores allow you to pay in 3 installments per credit card, I assume they would need to keep the data).
Oh, anything accessible from the interTubes must have up-to-date software!
My thoughts exactly. The 5th principle of the Data Protection Act is the one I believe is the most widely breached, as has clearly been the case here:
> Fifth principle - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
"and so all of the cards have likely expired"
This but doesn't help much. It's fairly easy to retry the same card adding two or three to the expiry year.
If that fails then the credit card companies offer services to update expired cards - card refresher from Amex, Account Updater from Visa and Billing Updater from MasterCard - and some merchants will helpfully call those for you.
..then visited el reg and all my targets have been met.
We take the protection of customer data extremely seriously - Check
and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. - Check
"Clearly however, additional measures were required to prevent such a sophisticated breach occurring, " -Check
and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again." - Check.
In summary: We pay for we we can get away with, now paying more, horse stable bolts and doors. Change passwords. You'll be dumb enough to keep trading with us, so no big loss anyway.
I'm going to patent a online for template for these companies. Should make a fortune.
Is anything safe anymore? I guess the answer is "No".
What is safe today will be hackable tomorrow - I realise that companies need to invest in their security, but if their margins are getting smaller they will struggle and hackers will eventually catch up with them.
But that is in fact the definition of "secure", to anyone who really understands security.
Anything that can be made can be broken, and will be broken, eventually. That includes everything from encryption to parking meters.
The real objective of security is to delay breaches long enough to mitigate them by other means (e.g. escape or obsolescence), not to prevent those breaches forever, because that is impossible.
That is the only sensible approach to security. Don't start by assuming it's infallible, but know absolutely that it will fail, then race to the next security measure before it does.
a few years ago, I bought a £4 memory module in CeX for *cash*.
It was misdescribed (as the receipt showed) so a refund was in order.
CeX insisted on a proof of ID before refunding - even though they had no standing to.
I was left in a catch-22 situation that I *could* have taken them to court for the refund. But not without revealing my identity.
Sometimes, having rights is meaningless - something we should all bear in mind.
I can understand the reason behind this.
The simplest being that a substitute product had been given back, or that the customer had broken it prior to its return. They might not interfere with honouring a refund this time round, benefit of the doubt, plus statutory rights, but if that kind of trick is played often enough then be prepared to be put onto a refund blacklist. I can't see a court agreeing with a plaintiff who regularly returns goods having broken them when a refund is refused despite statutory rights.
Then there are product switching scams that staff might collude in that result in inferior products being put on sale - er, which more or less could have been what happened to you. For this they would either have to use their own address on the paperwork, or make one up.
All of which points to being receptive to their administrative processes.
er, CeXs administrative problems do not trump the law, which states that a CASH refund under the CRA cannot be attached to conditions. The problem is the court case to enforce that would cost more that £4, and run the risk of the judge not awarding the court costs.
This post has been deleted by its author
CeX are always trying to get my name, address, and email details out of me. I had a row in one of their stores just two weeks ago over their persistence and time wasting when simply wanting to pay for a 50p DVD with cash.
I did later reflect on whether I had perhaps over-reacted, been a little unfair or strident in my criticisms that I don't trust companies to keep data I provide safe. It seems not.
You were lucky and right.
To my shame - I had completely forgotten I had used them many moons ago and at the time they wanted to pay the money for my stuff direct into my bank account. Which I foolishly gave them. I recieved the email this morning.
Had no idea I even had an online account with them (which I have never used). I reset my password so I could log in and rather frightening event though my address information isn't there my bank details are! I don't remember giving them permission to put that information online...
Bollocks is all I can say.
Generally, I just lie.
Quicker, avoids arguments, and has the added bonus of messing up their stats. If everyone did this they'd soon stop the practice.
Similar thing with TV catch up services, who all now demand we create accounts and sing in.
BBC, ITV, Channel 4, Channel 5. All signed up with fake email addresses and fake postcodes.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement.
I'm sure I read this statement once before coming from a certain D. Harding. 'Tis the standard, "it wasn't us gov" cut 'n' paste data protection blurb.
----then of course action is only taken too late to matter.
Until there is adequate punishment for data mismanagement then handing your real data is an expense to everyone in your country.
At the minimum the directors of any company having a data leak should be held responsible for any losses the effected customer suffer, with the onus on the company to prove that the lose was not their fault.
I would say that the directors of a company leaking data at this point are negligent, there are plenty of companies that are available to lock data down and there has been plenty of press attention for the historical data leaks.
When laws change people are still held responsible even if they were unaware of the changes because were published on TV and in newspaper, if people why not companies?
Quite a 'colourful' company, originally the Music and Video Exchange, with main branch in Notting Hill Gate. I seem to remember reading their terms of business at that time when buying a used CD -- these implied that part of the price was to purchase a warranty and that portion was not refundable if the product had to be returned. I thought at the time that this would have raised some eyebrows if a customer took it to small claims. I may be mistaken, but I recall that the original firm was registered in the Channel Islands, which would have matched the freebooting style of the now deceased founder.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
