Superdrug has become the latest high street chain to be targeted by hackers holding customer data to ransom.
According to the store, hackers contacted them on Monday evening saying they had obtained details on approximately 20,000 customers.
Superdrug said customers’ names, addresses and in some cases dates of birth, phone number and points balances may have been accessed but no payment or card information had been taken.
So far, Superdrug has seen 386 of the accounts compromised.
Superdrug (pictured) says the details of 20,000 customers may have been compromised, with names, addresses and in some cases dates of birth, phone number and points balances accessed
A spokeswoman for the company said: ‘The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.’
Customers who may have had their data harvested received an email and were asked to change their passwords, and to change them regularly in the future.
The email read: ‘We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.’
Superdrug tweeted on Tuesday: ‘To customers who have received an email from us today, this email is genuine. We recommend you follow the steps outlined.’
One angry customer tweeted: ‘Not even an apology. Your responsibility to keep our information safe. Disappointed.’
Another said: ‘What a cagey and cryptic tweet, something you’re embarrassed to talk about?’
The cosmetic firm followed-up the earlier tweet, and responded to the storm surrounding its lack of an apology with a longer message to its customers.
It read: ‘We are very sorry for the inconvenience and concern this has caused.’
Superdrug tweeted on Tuesday: ‘To customers who have received an email from us today, this email is genuine. We recommend you follow the steps outlined.’ One angry customer tweeted: ‘Not even an apology. Your responsibility to keep our information safe. Disappointed.’
The high-street chain followed-up its previous tweet with details of the security breach, revealing the extent of the issue and finally apologising to its customers
Jake Moore, security specialist at ESET, an IT security company that offers anti-virus and firewall products, said: ‘As with any breach, it is important to follow some simple steps in order to stay safe if your details have been compromised.
‘It is unknown when this breach occurred so the GDPR implications may not be obvious just yet, however, Superdrug did send out an email offering recommended steps and authenticated it by sending a tweet.
‘Firstly, ensure you have a strong complex password on any accounts that have a link to your personal information, for example, your name, job title, address, phone number.’
Last year, retailer Dixons Carphone, which owns a number of electrical and tech brands including Currys and PC World, was subject to one of the biggest data breaches in history.
Around 10 million records containing personal data were accessed.
In 2015, mobile network TalkTalk was targeted by hackers who exploited a flaw in the company’s website, resulting in 157,000 records being accessed.
HOW CAN YOU PROTECT YOUR INFORMATION ONLINE?
Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)
- Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
- Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
- Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
- Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.