Second-hand gaming retailer CeX has been left red-faced after being forced to admit that an "online security breach" may have put as many as two million customer accounts at risk. In an email to customers, the company said that personal information -- including first names, surnames, addresses, email addresses and phone numbers -- were stolen. Financial information was also pilfered "in a small number of instances", but CeX confirmed that the encrypted data included only expired credit and debit cards up to 2009.
It appears that the attack is only limited to the CeX website, which stopped taking financial data eight years agp. In-store personal membership information isn't thought to be affected, but the company has warned all of its customers to change their store passwords, as well as any other accounts that share the same login details.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," it said in a statement. "Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."
CeX joins TalkTalk, Three and the UK parliament in admitting that it has been the target of a large-scale online attack. While you may have received the email from the company, it doesn't mean that your details have necessarily been stolen. CeX has said it has contacted all of its website customers as a precautionary measure.