But pharmacy chain adamant its systems were not compromised as hacker attempted to extort money
Superdrug has become the latest British retailer to warn of a “possible disclosure” of customers personal data, which may include names, addresses, dates of births, and phone numbers, but not payment card details.
The incident reportedly saw criminals try to extort money from the British High Street pharmacy chain.
This incident comes after another British retailer, Dixons Carphone, admitted in June that “unauthorised access to certain data”, namely 5.9 million payment cards and 1.2 million personal data records. But last month it warned that a total of 10 million customer records had been compromised – significantly up from its original estimate of 1.2 million.
Superdrug admitted the “possible disclosure” on Twitter, earlier this week, but no information on its website.
The chain said it has been warning its Superdrug.com customers of an event that may have resulted in the disclosure of some personal information.
As a precaution, it is advising its online customers to change their passwords, and it said it was sorry for the inconvenience and concern this has caused.
Superdrug also tweeted that it had contacted the police and Action Fraud over the matter.
But besides this brief tweet, it seems this story has a few more twists and turns.
According to the BBC for example, Superdrug had apparently been contacted by the cyber criminals, who claimed they had stolen details of 20,000 customers.
But the pharmacy chain said it had only seen evidence so far that 386 customers had been affected.
Superdrug is also quoted by the BBC as saying that there was “no evidence” its systems had been compromised, but that it believed the criminals had got customers’ email addresses and passwords from other websites “and then used those credentials to access accounts on our website”.
The group had tried to extort a ransom from Superdrug, it told the BBC.
The retailer said it had also “notified directly” all customers which it believed had been affected, and posted a tweet, telling customers the email they sent was “genuine”.
The Superdrug incident has prompted a quick reaction from security specialists.
“The biggest issue with the possible breach of private information from Superdrug customers is that this is another blow to our collective privacy,” said Sam Curry, chief security officer at Cybereason.
“We know the list of companies suffering breaches where personal information of their customers was compromised is in the thousands,” said Curry. “The reality is that the cost to gain information on consumers has plummeted and should be at the forefront of the debate.”
“Today, every consumer should be working under the assumption that their personal information has been compromised many times over, and the latest Superdrug hack is a reminder that they should watch their identities and credit for abuses,” said Curry.
Another expert lamented the lack of information about how the criminals had actually obtained this data.
“From the information available, while 386 or so Superdrug customer accounts were compromised, there isn’t a whole lot of information on how the cyber-hackers actually obtained the usernames and passwords,” said Sanjay Ramnath, VP at AlienVault.
“I expect that we will learn more about this as they investigate the breach further,” Ramnath said. “However, this underscores the attractiveness of the retail sector as a target for cyber-attacks. It is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken.”
Another expert was relieved that the breach did not seem to contain valuable payment card data, but warned that the data compromised is still valuable to criminals.
“Although happily, payment data was not exposed, the personally identifiable information held hostage can easily fuel synthetic identity fraud and identity theft,” said Ryan Wilk, vice president at NuData Security (a Mastercard company).
“With these types of fraud, personally identifiable information such as name, address, or date of birth are traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft,” said Wilk.
“This is why retailers, along with eCommerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics,” he said. “These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen.”
Finally, another expert noted that this case could be the first time that blackmail has been attempted under the new GDPR rules.
“Whilst there is little detail in the communications to date, the hacker has clearly released a number of stolen records to Superdrug, to prove they have some portion of customer information,” said Andy Norton, director of threat intelligence at Lastline.
“Superdrug have not stated the hackers demands but this could be the first case of attempted GDPR blackmail,” he warned.
Do you know all about security? Try our quiz!