HI TEC pawnbroker CeX has announced a breach of its online systems which could expose details of 2m users.
The company, which buys and sells games and electronics through a combination of its webuy.com website and a chain of bricks and mortar stores, has warned customers that they should change their password for the site as soon as possible.
A letter to customers from managing director, David Mullins, warns: "As a result of a breach of security in which an unauthorised third party accessed our computer systems, we believe that some customer data has been compromised.
"This includes personal information, and, for a small number of customers, it also includes encrypted data from expired credit or debit cards. As a customer of CeX, there is a possibility this might affect you.
He emphasised, however, that "…we did not have any card data stored for your account. We ceased storing customer card details in 2009."
As usual in these situations, the message is to not only change your password, but change the password of any other site that you've given the same password to.
Summarising the sort of data accessed, CeX said: "The data includes some personal information, such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."
A spokesman for CeX told INQ:
"Late last year, we suffered what we believed to be a low-level breach in our online UK website security, along with a phishing attempt. It was swiftly identified and fixed, and we immediately put in place additional security measures. No further security breach has since taken place and we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data."
"However, in August this year we received communication from a third party claiming to have access to some of our online UK website data. We immediately informed the relevant authorities, including the ICO and NCA who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again. We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage."
CeX has emphasised that it has already put procedures in place to stop a repeat performance.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," continued the statement.
It went on: "Clearly, however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."
Plus IoT factories and a pricey Pixel pouch
It's all fun and games until someone loses their rent
Speeding this way from the Spring
It's generating lower margins than smart-speaker rivals from Amazon and Google