Superdrug has warned its online customers to change their passwords after criminals claimed to have stolen the details of 20,000 customers.

The pharmacy chain last night contacted customers to advise them to change their online passwords and said the affected data does not include payment card information.

However, it said the breach may include names, addresses and in some cases details of their dates of birth, phone number and loyalty point balances.

Despite the hackers’ claims of 20,000 compromised accounts, Superdrug said it has only seen evidence of 386 affected customers so far and said there was “no evidence” its systems had been compromised.

The company said it had been contacted by an individual claiming to have carried out the attack on 20,000 customer accounts who demanded a ransom of 2 bitcoin, worth about $13,337 at current rates, Reuters news agency reported.

Customers contacted by the company reported difficulties in changing their online passwords.

One Twitter user by the name of Ellen Auckland posted “I would be able to change my password but tried from four different devices and the website keeps giving me and internal server error. Not acceptable that I might have my details comprised [sic] and I can't change my password.”

In a statement posted on Twitter, Superdrug said: “We are aware that some customers are experiencing difficulties in [changing their passwords] - we appreciate this is very frustrating and we are doing everything we can on this. We are very sorry for the inconvenience and concern this has caused.”

The company has contacted the Police and Action Fraud, the UK’s national fraud and cyber crime arm and said they will be offering them “all the information they need for their investigation”.

Responding to the hack, Sam Curry, chief security officer at cybersecurity company Cybereason, said the breach represented another blow to online users’ collective privacy, adding that the list of companies suffering similar compromises to customer information is “in the thousands”.

He said: “Today, every consumer should be working under the assumption that their personal information has been compromised many times over, and the latest Superdrug hack is a reminder that they should watch their identities and credit for abuses."

Sanjay Ramnath, vice president at IT security company AlienVault, commented that while at present there was limited information as to how the hackers obtained usernames and passwords, the incident “underscores the attractiveness of the retail sector as a target for cyber-attacks”.

Ryan Wilk, vice president at NuData Security said that the rise in online account hacks is seeing e-commerce organisations, banks and financial institutions turn to multi-layered security strategies using passive biometrics and behavioural analytics.

“These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen,” he warned.

It is not the first case of a major retailer finding its customer account details hacked. Dixons Carphone revealed last month that a 2017 cyber hack could have resulted in the compromise of more than 10 million customer accounts.

Share Story: