For me, the thing that sticks out the most in this breach is the fact that CeX still stored expired customer card details from 2009 and earlier.
What business purpose could it possibly serve? It looks to be in contravention of the DPA principles of adequacy and relevancy.
One would hope these kind of business practises of simply storing all data for the sake of data will be stifled by GDPR as more companies become aware of their records management responsibilities.
Second-hand UK technology retailer CeX has warned that the personal details of two million of its customers may have been accessed by hackers. Those affected were registered with CeX’s webuy.com website and have been contacted by the Watford-based firm. In an online statement, the retailer revealed that the personal information compromised could include first name, surname, address, email address and phone number, if the customer supplied them.