For me, the thing that sticks out the most in this breach is the fact that CeX still stored expired customer card details from 2009 and earlier.

What business purpose could it possibly serve? It looks to be in contravention of the DPA principles of adequacy and relevancy.

One would hope these kind of business practises of simply storing all data for the sake of data will be stifled by GDPR as more companies become aware of their records management responsibilities.