According to a Reuters' report, Cash Converters received an email from a third party claiming to have gained unauthorised access to customer data within a Cash Converters' UK website.
In a notification email sent to customers, the company said its webshop had been hacked with information taken from a recently decommissioned website. The site was decommissioned in September this year and was hosted by an external third party. The breach only affects those users of the old site.
Among the data breach details compromised were account names, passwords and delivery addresses. Cash Convertors said in its notification email that the customer data breach did not include credit card details.
It is claimed that a third party has threatened to make public the data unless it receives a financial payment. Cash Converters has reported the threat to authorities in the UK and Australia, and has appointed security advisors to review its systems.
“Please be assured that – alongside the relevant authorities – we are investigating this as a matter of urgency and priority. We are actively implementing measures to ensure that this cannot happen again,” said the company in a statement sent to SC Media UK.
“Our customers truly are at the heart of everything wit do and we are both disappointed and saddened that you have been affected. We apologies for this situation and are taking immediate action to address it.”
Javvad Malik, security advocate at AlienVault, told SC Media UK that the attack highlights the importance of having threat detection capabilities that can alert to breaches in a reliable and timely manner.
“There isn't much information available at the moment, but this is a rather different threat in that rather than relying on ransomware, the attacker claims to have the data. The problem with this scenario is that without having reliable logs, the victim doesn't know if the criminals actually have the data they are claiming to possess – or indeed if they will stick to their word and not release it in the event of receiving payment,” he said.
Dan Panesar, VP EMEA, Certes Networks told SC Media UK that it is “yet again an avoidable vulnerability, as a result of sprawling IT systems, that has caused the data of consumers to find its way into the hands of hackers”.
“It is up to businesses to change the mindset when it comes to cyber-security and to implement coherent and comprehensive strategies that leave no data unprotected.”
The news of the pawnbrokers breach came after US sister publication SC Magazine reported that clothing retailer Forever 21 had its systems breached leading to unauthorised access to its payment card system when the encryption installed on some of those systems was not operational.
Robert Capps, authentication strategist and vice president at NuData Security, told SC Media UK that back in 2015, Forever 21 made an effort to secure its clients' personal data through encryption and token-based authentication methods. This measure has reduced the impact of this potential breach – still under investigation.
“However, this higher-security system was still not implemented in some point of sale (PoS) devices, putting those clients' information at risk. We are glad to see companies enhancing their security, but they should also be diligent and implement those new technologies across all placements. Forever 21 is the example of what happens when you fail to do so: hackers are attracted to your security gaps like bees to a honeypot,” he said.
Carl Leonard, principal security analyst at Forcepoint emailed SC Media UK to note that from Whole Foods to Forever 21 and Debenhams in the last 12 months, this is the new normal and no one is immune, commenting: “While the breach is only affecting customers on the company's old website, there has never been more pressure on enterprises, regardless of sector, to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.
“Fundamentally, focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to adapt and update legacy defences with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of users, data and systems can become the critical point for effective security and compliance. In doing so, businesses can protect their customers and, crucially, their reputation against the ever increasingly threat of cyber-crime.”
Andrew Bushby, UK director at Fidelis Cybersecurity, adds: “As a company that allows customers to purchase traded-in items on its website, Cash Converters is a prime target for hackers. Its customers will understandably be concerned by this ransom demand, especially given the uncertainty around the information that's in the hands of the attackers. Even if customer credit card information was not breached, or is masked, it could still be at risk as attackers have customers' usernames, passwords and addresses in their hands.
"With automated detection and response techniques, companies such as Cash Converters will be able to respond to incidents at the speed of light. It's this that could keep confidential data secure and exactly where it should be.”