Cash Converters, an electronics retailer, pawnbroker and money lender, has launched an investigation after discovering a data breach impacting UK customer records.
According to a breach notification email sent to impacted customers – and shared with IBTimes UK – the company said that its "webshop" service had been hacked. The stolen information, it admitted Thursday (16 November), was taken from a recently decommissioned website.
It confirmed that webshop account names, passwords and delivery addresses were compromised by the hackers. It claimed "full" card numbers were not taken - which left open the possibility partial data was stolen.
According to one Australian media report, the culprits are currently holding the data to ransom.
"Please be reassured that – alongside the relevant authorities – we are investigating this as a matter of urgency and priority," the breach notification reads.
"We are also actively implementing measures to ensure that this cannot happen again," it added.
Cash Converters said it was working with law enforcement in Australia and the UK to investigate the data leak incident, and has now forced a password reset for all UK webshop users.
The statement continued: "Although some details relating to the cybersecurity breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.
"The current webshop site was independently and thoroughly security tested as part of its development process. We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.
"Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected. We apologise for this situation."
It did not reveal how many customers were impacted in the hack, or when it occurred.
The previous website was decommissioned in September 2017, the company said. The notification email advised customers to change passwords and ensure they are unique to the website.
A spokesperson for Cash Converters did not immediately respond to request for comment and the company has not yet publicly acknowledged the incident on its social media channels. A PR contact sent IBTimes UK a statement, however the wording was taken from the breach email.