Superdrug has become the latest big-name high street brand to have suffered a damaging breach of customer data, after hackers apparently tried to hold the firm to ransom.
The UK health and beauty retailer has been sending emails out to those affected after reports suggested hackers contacted the firm on Monday to say they had data on 20,000 customers.
“The hacker shared a number of details with us to try and ‘prove’ he had customer information — we were then able to verify they were Superdrug customers from their email and log-in,” a spokeswoman told ITV News.
The firm has apparently confirmed the validity of over 300 compromised accounts but appears to be trying to minimize the fall-out.
There’s no public statement as yet on the incident on its website and a cryptic tweet on Tuesday seemed to skirt around the issue, stating:
“To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.”
Data stolen reportedly includes names, addresses, dates of birth and phone numbers as well as points balances, but not financial information. Superdrug is maintaining that its systems have not been compromised and instead that customer emails and passwords were obtained from breaches of other sites.
Superdrug claimed to have contacted the police and Action Fraud UK and has urged its customers to change the passwords on their accounts.
Jake Moore, security specialist at ESET, urged customers to be on the lookout for follow-on phishing attacks.
“These scams are increasingly sophisticated and difficult to spot, therefore, as a rule of thumb, do not click on any links or download any documents that you are not expecting,” he added. “Try and verify if and where you can on the origin of an email before acting upon any requests. "