CeX announced that the names, addresses, email addresses, and phone numbers of 2 million of its customers have been compromised. The company, which operates a secondhand marketplace for games and tech products, said it's still investigating the extent of the breach.
Retailers have been popular targets for hackers for years. In addition to storing payment data, these businesses often collect information about their customers via loyalty programs, store credit cards, and other collection methods. This combination of financial and personal data is valuable because it can be used to make fraudulent purchases or steal a person's identity. It could also be used to assist with more targeted attacks.
CeX said in its announcement that a "small amount of encrypted data from expired credit and debit cards may have been compromised" in the breach. The company said it stopped collecting this information in 2009, so even if the encryption is broken, the damage should be minimal. That's good news for anyone who's bought something from the retailer's website in the intervening years, though the personal data leak is still worrisome.
Here's what the company said about its approach to digital security:
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.
CeX advised people affected by the breach to change their passwords on any site that uses a similar password. The company said the passwords affected by this breach weren't stored in plain text files, but if your password "is not particularly complex then it is possible that in time, a third party could still determine your original password" and use it on another site. (Which, again, is why you shouldn't repeat passwords across services.)
Approximately 2 million people were affected by this data breach. CeX said it emailed anyone it suspected was affected by the issue, so if you haven't received an email, the company believes your information is safe. It will know more as its investigation into the breach continues.