Cash Converters hack puts customer data at risk


Cash Converters, the pawnbroker and high street lender has been the latest company to be hit by a data breach. It is feared UK customer information including personal details, partial credit card numbers and passwords have been stolen. Customers were notified of the leak on Thursday by email, samples of which have been posted on social media.

The firm’s old online shop (which hasn’t been in use since September 22) was the target of the breach, meaning customers who used the site are at risk. Cash Converters has not said whether the unauthorised access happened while the site was still operational, and has refused to confirm how many customers are affected, the types of data stolen or how the breach was discovered.

However, news agency Reuters reports the firm has received a ransom demand from an ‘unidentified third party’ warning that customer data will be released if payment isn’t made. Personal details, passwords, masked credit card numbers and purchase histories may have been accessed.

Cash Converters is now being investigated, saying in a statement, “We are taking this extremely seriously and have provided our customers of the old Webshop site with details to help protect them from being impacted by the security breach. Customers should be aware that full credit card details were not obtained as part of the security breach. Along with the relevant authorities we are investigating this as a matter of urgency. We are also actively implementing measures to ensure that this cannot happen again.”

Data watchdog the Information Commissioner’s Office (ICO) said it’s aware of an ‘incident’ at Cash Converters UK and is investigating.

With data breaches growing ever more common, Carl Leonard, principal security analyst at Forcepoint comments, “The unfortunate Cash Converters data breach is just another embodiment of the threat environment that businesses are facing every day. From Whole Foods to Forever 21 and Debenhams in the last 12 months, this is the new normal and no one is immune.

“While the breach is only affecting customers on the company’s old website, there has never been more pressure on enterprises, regardless of sector, to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.

“Fundamentally, focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to adapt and update legacy defences with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of users, data and systems can become the critical point for effective security and compliance. In doing so, businesses can protect their customers and, crucially, their reputation against the ever increasingly threat of cybercrime.”