Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.
Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.
Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.