The personal details of up to two million customers of technology and video games retailer CeX may have been compromised in a data breach.
Information including names, addresses, email contact details, and phone numbers of CeX customers in the UK who supplied their data to the retailer through online forms has been accessed in a "sophisticated breach", the company has warned.
The company said it had suffered a phishing attack and a "a low-level breach in our online UK website security" which occurred "late last year". CeX acted at the time to "immediately put in place additional security measures", it added.
The company said "no further security breach has since taken place" and that "we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data".
However, the company said it "received communication from a third party claiming to have access to some of our online UK website data" in August this year.
The retailer said it immediately informed the relevant authorities, including the Information Commissioners Office (ICO) and National Crime Agency (NCA) "who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again".
It added: "We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage."
While no password data has been compromised, customers have nevertheless been urged to change their CeX online password, as well as the password for any other accounts that use the same password. CeX warns that it's "precautionary measure" so customers can protect themselves further attacks in the event of the criminals cracking users' passwords -- especially those which aren't complex.
CeX has also said that in a "small number of instances" encrypted data from credit and debit cards up to 2009 may have been accessed, but that no live payment information has been taken as those cards will have expired and the company no longer stores financial information.
The retailer is contacting all customers who are directly affected by the breach, which only affects the online arm of the company. No in-store personal membership details are thought to have been compromised. CeX has over 350 stores in the UK and over a hundred more overseas.
CeX has yet to detail how exactly attackers managed to gain access to the data, only that the incident occurred "recently".
The retailer said it is working alongside the police, the NCA, and ICO to investigate the incident and has also employed a "cyber security specialist" to review security processes.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement.
"Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again," the company added.