Superdrug admits security breach compromising customer data - but claims its systems weren't breached

One early benefit of GDPR: Breached companies are owning up to potential security breaches much faster

Superdrug has admitted that customers' personal details have been obtained by cyber criminals, but claimed that "there is no evidence that Superdrug's systems have been compromised".

Instead, in an email to customers sent late yesterday, the company claimed that the email addresses and passwords were gleaned from other websites, and the credentials used to access accounts on Superdrug's website.

If correct, the suggestion implies that people's accounts with other commerce websites might also have been compromised in a similar way.

Superdrug claims that it became aware of the security breach when it was emailed by hackers who claimed to have the information. It's unclear why the attackers would contact the company direct, but one theory is that they were attempting to blackmail Superdrug.

The email, from Superdrug managing director Peter Macnab, explains: ""On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers' online shopping information.

"There is no evidence that Superdrug's systems have been compromised.

"We believe the hacker obtained customers' email addresses and passwords from other websites and then used those credentials to access accounts on our website.

"The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386."

The company went on to admit that names, addresses, dates of birth, phone numbers and loyalty card points balances could all have been accessed.

However, Superdrug does not appear to have reset customer passwords - the standard response to such a breach - and customers have complained that they are unable to log-in.

Superdrug is owned by Hutchison, the same Hong Kong-based company behind Three Mobile.

https://twitter.com/beccaleebh/status/1031959064161529858?ref\\_src=twsrc%5Etfw
https://twitter.com/WhatKittySaid/status/1031964407801106432?ref\\_src=twsrc%5Etfw

Responding to the news, Kaspersky senior research David Jacoby advised that all organisations ought "to have an effective cyber-security strategy in place" before they become a target.

He continued: "Companies should also implement measures to secure customer data, so that if data is compromised in a breach, passwords and other sensitive details are not made available to threat actors. In addition, consumers should ensure that they are doing everything they can to protect themselves, including changing their passwords regularly."

Rory Duncan, a security specialist at services firm Dimension Data, also suggested that people ought to be more careful about the information they publish on social media in order to minimise the level of information that can go into social engineering attacks.

Computing's Cloud & Infrastructure Summit Live returns on Wednesday 19 September, featuring panel discussions with end-users, strategic and technical streams and a session with guest speaker Inma Martinez. The event is FREE to qualifying IT leaders and senior IT pros, but places are going fast. Register now!