Superdrug 'hacked' and held to ransom over personal customer data

By Lucy Tandon Copp 22-Aug-2018

An online hacker claims that approximately 20,000 customers have been compromised, although Superdrug says it has only seen 386

Superdrug, the health and beauty retailer owned by A.S. Watson, has been targeted by a hacker who is holding customer data to ransom.

The hacker contacted the retailer on 20 August claiming it had obtained information on approximately 20,000 customers, including names, addresses, dates of birth, phone numbers and point balances.

However, Superdrug says it has only seen 386 and that there is no evidence of its systems being compromised.

In a statement, Superdrug said: "We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website."

In an effort to reassure consumers, it explained that no payment card information had been accessed by the hacker, but advised consumers to change their passwords.

"We have contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously."

Beauty industry at risk

This is not the first time a major cosmetics e-tailer has been the victim of a privacy scandal.

In 2017, Tarte Cosmetics suffered a security breach affecting two million of its customers.

Meanwhile in 2016, Kylie Jenner's brand Kylie Cosmetics suffered a privacy glitch after the names, addresses, contact details and order history of customers were displayed for others to see.

In 2015, Sally Beauty faced its second data breach affecting payment cards.

'A blow to collective privacy'

The cost to gain information on consumers has plummeted and should be at the forefront of the debate.

The hacking scandal surrounding Superdrug comes at a time when e-commerce is dominating consumer shopping habits.

Cybersecurity expert Sam Curry, Chief Security Officer at Cybereason, said: "The biggest issue with the possible breach of private information from Superdrug customers is that this is another blow to our collective privacy.

There is a laundry list of names of the biggest corporations in the world that have been dealt a collective knock down over the years whether it be Equifax, Anthem, Target, Heartland or eBay, to name a few.

"We know the list of companies suffering breaches where personal information of their customers was compromised is in the thousands. The reality is that the cost to gain information on consumers has plummeted and should be at the forefront of the debate."

Meanwhile, Ryan Wilk, VP at NuData Security, a Mastercard company, added: "This is why retailers, along with e-commerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics.

Sign up for your free email newsletter

"These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen.”