sdecoret -

Superdrug denies data breach

Superdrug has warned online customers it believes may have had personal details exposed, but claims its systems were not compromised, in what could be the first GDPR-related extortion attempt

Superdrug has urged online customers to change their passwords after cyber criminals claimed to have stolen personal details of 20,000 people registered on the retailer's website.

The retailer claims it was the target of an extortion attempt and that there is “no evidence” its computer systems have been breached.

“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” the company said in a statement, underlining the need to use unique passwords for each online account.

Cyber criminals routinely exploit poor password practices, particularly password re-use, which means usernames and passwords stolen from one online service provider are often valid to access accounts from other providers.

The retailer believes only 386 customers were affected and said they had been contacted and advised that their names, addresses and “in some cases” dates of birth and phone numbers were exposed, but no payment card details were involved.

Superdrug said it had notified the UK’s national fraud and cyber crime reporting centre, Action Fraud, about the incident.

Since the EU’s General Data Protection Regulation (GDPR) and GDPR-aligned UK data protection legislation came into effect, organisations are under increased pressure to ensure personal data is kept securely or face a range of punitive measures that could seriously affect their bottom line.

“Superdrug have not stated the hackers’ demands, but this could be the first case of attempted GDPR blackmail,” said Andy Norton, director of threat intelligence at security firm Lastline.

Read more about data breaches

Ahead of the GDPR compliance deadline, industry commentators expressed fears that cyber criminals would see the potential punitive measures for data breaches introduced by the legislation as an opportunity to extort money from organisations by threatening to go public with evidence of a breach.

Along with healthcare service providers, retailers are a prime target for cyber attackers for obtaining personal data for identity theft, fraud and other criminal activities.

“Today, every consumer should be working under the assumption their personal information has been compromised many times over, and the latest Superdrug hack is a reminder they should watch their identities and credit for abuses,” said Sam Curry, chief security officer at security firm Cybereason.

Sanjay Ramnath, vice-president at security firm AlienVault, said it is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken. 

“Complementing this with up-to-date threat intelligence data that can help identify emerging and popular threats against retailers. If compliance with industry standards like PCI DSS [payment card industry data security standard] and regulatory standards like GDPR are not found, then the consequences could be dire,” he said.

Changing passwords

Ramnath said any Superdrug customers contacted by the retailer should change their passwords or usernames not only on the Superdrug site, but also anywhere else they may have used that particular password to ensure criminals do not try to access other accounts.

To protect against post-breach damage, some retailers, e-commerce organisations, banks and financial institutions are implementing multi-layered security strategies using passive biometrics and behavioural analytics, according to Ryan Wilk, vice-president at NuData Security, a Mastercard company.

“These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen.” 

Read more on Privacy and data protection

Data Center
Data Management