Wednesday, 30 August 2017

Up to 2 Million CeX Customer Accounts Compromised by Security Breach

If you are a CeX online customer, change your account password now, as the second hand UK goods chain has been informing over two million of its customers their personal details have been hacked. In a customer email CeX discloses they have been the subject of a security breach by a third party, and that's about as much detail as CeX are presently admitting about the cyber attack at the moment.

Despite the CeX email referring to a "sophisticated breach of security" without any further detail about what happened, it is impossible to judge whether it was actually a sophisticated cyber attack or not. Rather oddly CeX have not forced a password change on their compromised customer accounts despite admitting account passwords were at risk.  

My CeX Customer Advice
  • Change your CeX password straight away. Ignoring the CeX website advice of using a 6 character password, which is too weak - see the Account Password section of this post below.  Alternatively you could also close your CeX account through the website
  • If you have used your old CeX password on any other websites, change those account passwords quickly. 
  • Be vigilant for personalised scam emails from CeX, given cyber criminals might have your email address and know you are a CeX customer.
  • Review your Credit Card statement and Bank Statements for suspicious activity. Note CeX might have put your bank account details and BitCoin address at risk/

Data Compromised
CeX have not been too clear on detailing the customer account data that is at risk, stating  "The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied". And "In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."   

Reviewing a CeX website account suggests the following customer account personal data is at risk:
Email Address
BitCoin Address
Full Address
Bank Details - Account Holder Name, Sort Code, Account Number, Roll Number
Phone Number

It is concerning CeX refer to storing debit/credit card details past their expiry dates - why? CeX also appear to be glossing over the significance of compromised customer debit/credit card details in stating " We would like to make it clear that any payment card information that may have been taken, has long since expired".  A rather misleading statement given some payment card issuers use the debit/credit card number when reissuing new cards, and the new expiry date is guessable. Given that statement, you  have to wonder whether the CeX operation was secure enough to handle debit/credit card data, are CeX PCI DSS compliant.? Payment Card Industry Data Security Standard compliance is required for all organisations which process, store and/or transmit debit/credit card details, no PCI DSS compliant organisation ever been successfully breached.

Account Password
CeX also states the account passwords were not been stored in plain text, but have not advised how the passwords were protected. For instance, whether passwords were stored using a unique value (salt) together with the password before being scrambled with an industry recognised one-way hashing algorithm (adequate security protection), or by just using the hashing algorithm on the password (inadequate security protection). 
Change your CeX password

CeX recommends a 6 character password or longer on their website's password change process which is too weak. CeX customers should avoid setting that minimum 6 character strength, go for an at least 8 character password consisting of at least one number, one upper case character, one lower case and one special character (i..e #!"£$%^&). I recommend using a password manager (see advice on https://www.itsecurityexpert.co.uk) to generate a unique and secure random password of at least 12 characters to really be on the safe side.

By the CeX requires you know your old password in order to change it, so you'll have to hope the hacker hasn't changed your password.

CeX also has a "Cancel Your Account Option" which I assume will remove all personal data from CeX, customer's could submit a Data Subject Access Request to CeX after account closure to be certain.

Breach Recovered and Fixed?
CeX say "Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.", however, without any detail about the hack and the new measures put in place, this statement provides little assurance to CeX customers. The following statement also skirts what customers want to know  "additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening ". If this cyber attack turns out not to be sophisticated, CeX can expect heavy criticism by a more cyber entitled media, and interest from the Information Commissioner's Office for violating the Data Protection Act.

CeX Email
Dear Customer,
We are writing to inform you that unfortunately we have recently been subject to an online security breach. We are taking this extremely seriously and want to provide you with details of the situation and how it might affect you. We also want to reassure you that we are investigating this as a priority and are taking a number of measures to prevent this from happening again.
The situation
As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised. This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
Please note, we did not have any card data stored for your account. We ceased storing customer card details in 2009.
What we’ve done about it
This was a sophisticated breach of security and we are working closely with the relevant authorities to help establish who was responsible. Our cyber security specialists have already put in place additional advanced measures to fix the problem and prevent this from happening again.
What we suggest you do?
  • Although we have put in place additional security measures, we recommend that you change the password for your webuy online account.
  • If you used the same password elsewhere, we also suggest that you change your password for those accounts.
Further details on this issue are provided in a Q&A below. If you have additional questions, please email us at: guidance@webuy.com where we will be compiling the most frequently asked questions, which will then be updated via uk.webuy.com/guidance
We apologise for inconvenience this may cause.
Yours sincerely,
David Mullins
Managing Director


Questions & Answers
How much data has been compromised?
As a precautionary measure we are contacting up to two million of our registered website customers who could potentially be affected.
Does this affect in-store membership personal information?
We have no indication that in-store personal membership information has been compromised.
What does the data include?
The data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared.
What about financial data?
A small amount of encrypted data from expired credit and debit cards may have been compromised. We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009.
What has happened to the data that has been compromised?
We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation.
What should I do?
We advise that you change your webuy.com password, as well as any other online accounts where you may share the same password, as a precautionary measure.
Why do I need to change my passwords?
Although your password has not been stored in plain text, if it is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services. As such, as a precautionary measure, we advise customers to change their password across other services where they may have re-used their WeBuy website password.
Can customers find out exactly what data has been shared about them?
At this stage, it is not possible for us to share this information as we are still undergoing an investigation. At this stage, we are alerting all customers who might have been affected as a precaution.
What security do you have in place to protect this data?
We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats. Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.

No comments: