Cyber Incident Victim: CeX

On or around August 29, 2017, UK-based second-hand electronics retailer CeX disclosed a cybersecurity incident involving unauthorized access to customer data. The breach compromised approximately two million customer records containing personal information, including first names, surnames, addresses, email addresses, and phone numbers. In some instances, hashed password data was also exfiltrated. While the company noted these passwords were cryptographically protected, it acknowledged that weakly constructed credentials remained vulnerable to cracking attempts, particularly if customers reused passwords across multiple services. The breach originated from an online security compromise targeting CeX's digital systems, with no evidence of in-store point-of-sale terminal involvement. Limited credit and debit card information was also accessed, though CeX asserted this posed minimal risk since the company ceased storing full payment card data in 2009, rendering any exposed card details likely expired by the time of the breach.

CeX responded by notifying affected customers via email and publicly confirming the incident through official statements. The company emphasized its existing security protocols while acknowledging the need for enhanced measures against sophisticated attacks. CeX engaged an external cybersecurity specialist to conduct a comprehensive review of its systems and processes. This partnership resulted in the implementation of additional advanced security controls designed to prevent future breaches. Internal investigations remained ongoing at the time of disclosure, limiting the release of specific technical details about the attack methodology or intrusion timeline. The retailer maintained that protecting customer data remained a priority, though the scale of the breach exposed significant volumes of personal information to potential misuse through credential-stuffing attacks or identity theft schemes targeting compromised email and physical address data.