back to article Pawnbroker pwnd: Cash Converters says hacker slurped customer data

Pawnbroking and secondhand goods outlet Cash Converters has suffered a data breach. Customers were notified of the leak on Thursday by email, samples of which have been posted on social media. Cash Converters said it had discovered that a third party gained unauthorised access to customer data within the company's UK webshop …

  1. NonSSL-Login
    Facepalm

    Stating the obvious

    Cash converters say they have had a data breach and the comment from Troy is that is bears the hallmarks of a data breach at Cash converters?

    Either that is the worst case of stating the obvious or the article has been worded badly :P

    1. david bates

      Re: Stating the obvious

      Actually I found it rather amusing.

    2. NonSSL-Login

      Re: Stating the obvious

      Those paragraphs has since been removed in case anyone wonders what we were gibbering about.

  2. Anonymous Coward
    Anonymous Coward

    CC cards..

    Not stored doesn't mean they weren't at risk if servers were twatted.

  3. Anonymous Coward
    Anonymous Coward

    I wouldn't worry it's only second hand data. I'm sure they'll pawn it off on someone though.

    1. MachDiamond Silver badge

      Limited Value?

      So many people reuse passwords that if that was part of the haul, it can be very useful.

      I buy at pawn shops now and then. There are occasional deals, but most of the time they want more for an item than I can get it for on eBay.

  4. Anonymous Coward
    Anonymous Coward

    Limited value?

    I would have thought that if you were going to harvest details for people to steal money from, then there's limited value in getting details for people who are known to be pawning their worldly goods to tide them over until next week's Giro comes in.

    If I were a crim, I'd like there to be a reasonable chance that the bank account I'm trying to clear out at least has some money in there to be taken.

    1. Jason Bloomberg Silver badge

      Re: Limited value?

      "Customer data" presumably includes those buying as well as those pawning. There's often some fairly expensive kit for sale and not all sellers are skint, they just want a few quid without the hassle of private selling.

      I haven't bought anything really expensive from Cash Converters or similar outlets but have picked up plenty of bargains; electronics, DVDs, box sets.

      1. Tomato Krill

        Re: Limited value?

        Yes, we know, it's all public knowledge now :-)

    2. Doctor Syntax Silver badge

      Re: Limited value?

      "there's limited value in getting details for people who are known to be pawning their worldly goods"

      There's value if it was someone allegedly wealthy trying to keep afloat. Or surreptitiously raising capital for some purpose.

    3. Anonymous Coward
      Anonymous Coward

      Re: Limited value?

      There is another side.

      I read recently that a number of criminals use pawn shops to protect their cash. They buy jewellery with cash, then if arrested the cops may seize any cash but can't take the jewellery. Crim now has something to go back to the pawn shop to turn back into cash. Not necessarily a favourable exchange rate, but perhaps better than losing everything.

      So, the data breach might exploit the Underworld. To quote Lucius Fox in The Dark Knight Rises: [to Reese] "Let me get this straight, you think that your client, one of the wealthiest and most powerful men in the world, is secretly a vigilante, who spends his nights beating criminals to a pulp with his bare hands, and your plan is to blackmail this person? "

      1. The Nazz

        Re: Limited value?

        And on the other hand ...

        maybe it's also the first port of call AFTER a burglary?

        The advice around here is to go out and start to look for your own stuff, but tbf not only at CC.

  5. Mark 85
    WTF?

    Missing info in a rather confusing way.

    The article states it was the "decommissioned" website that was decommissioned back in September. So if it was decommissioned before the breech, why wasn't the data removed? Or was it breeched before it was decommissioned?

    The first comment here references Troy's comments... were they removed from the article?

    1. Doctor Syntax Silver badge

      Re: Missing info in a rather confusing way.

      "The article states it was the "decommissioned" website that was decommissioned back in September. So if it was decommissioned before the breech, why wasn't the data removed? Or was it breeched before it was decommissioned?"

      It might turn on what's meant by "remove". If the database is simply dropped the data's still sitting there on disk. The next DC/Cloud customer who acquires that partition takes a look and finds it. Not a problem if the disk was encrypted but if it wasn't...

      I've seen this on leased kit - the previous user's data was sitting there. I've also spent time ensuring that borrowed kit got scribbled on before returning it.

  6. steviebuk Silver badge

    The e-mail

    If you'd like to view the e-mail sent to people here it is. I used to use them to buy retro games as could get the odd bargain now and then.

    -----

    Cash Converters Webshop has recently been subject to an online security breach. We are taking this extremely seriously and have provided you with details of the breach below.

    Please be reassured that – alongside the relevant authorities – we are investigating this as a matter of urgency and priority. We are also actively implementing measures to ensure that this cannot happen again.

    Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected. We apologise for this situation and are taking immediate action to address it.

    What has happened

    • Cash Converters was notified that a third party had potentially gained unauthorised access to a Cash Converters’ UK customer database.

    • The data that has been accessed relates to Cash Converters UK data from a recently decommissioned Webshop site. This site was decommissioned when the new website was launched in September 2017. This site was hosted by an external third party.

    • Please be assured that the Webshop site currently in operation has not been affected.

    What information was involved

    • The customer data that has been accessed includes Webshop account names, passwords and delivery addresses. Please note, this does not include your credit card details.

    • This information is limited to Webshop and has no impact on store activity.

    What are we doing

    • Cash Converters is working with the relevant authorities in Australia and the UK to investigate this matter.

    • Although some details relating to the cyber security breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.

    • We have reset all UK Webshop user passwords and they will need to be changed the next time that you log on. This has been done to reduce the risk that any customers used the same password on both the old and current Webshop sites.

    • The current Webshop site was independently and thoroughly security tested as part of its development process. We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.

    What you can do

    • Please change your Webshop password the next time that you log on.

    • If you used the same Webshop password on other websites, please also consider changing these passwords.

    More information

    • We are continuing to assess and validate the potential impact of this incident. We will keep you updated as soon as new and relevant information becomes available.

    • If you would like to speak to somebody directly about this, please call the Action Fraud team on 0300 123 2040.

    Identity theft prevention tips

    1. Be aware of phishing – some identity thieves pretend to be banks, shops or government agencies, over the phone and via email. No legitimate provider would ever ask you to confirm your identity in this way. Unless you made the contact, don’t give out any personal details. Ask questions and don’t be afraid to say “no”.

    2. Make your passwords complicated – use different passwords for each of your different accounts. Ensure your passwords are at least eight characters and contain letters, numerics and punctuation marks.

    3. Protect your phone and laptop – when in public, protect your phone and laptop screen from view, especially when entering personal and banking information.

    4. Check your credit report – it’s a good idea to check your credit report and rating once a year to ensure that there haven’t been any debts or accounts opened in your name. You can check for free using Noddle or Experian.

    Kind regards,

    Cash Converters UK

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like