sdecoret - stock.adobe.com
Superdrug denies data breach
Superdrug has warned online customers it believes may have had personal details exposed, but claims its systems were not compromised, in what could be the first GDPR-related extortion attempt
Superdrug has urged online customers to change their passwords after cyber criminals claimed to have stolen personal details of 20,000 people registered on the retailer's website.
The retailer claims it was the target of an extortion attempt and that there is “no evidence” its computer systems have been breached.
“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” the company said in a statement, underlining the need to use unique passwords for each online account.
Cyber criminals routinely exploit poor password practices, particularly password re-use, which means usernames and passwords stolen from one online service provider are often valid to access accounts from other providers.
The retailer believes only 386 customers were affected and said they had been contacted and advised that their names, addresses and “in some cases” dates of birth and phone numbers were exposed, but no payment card details were involved.
Superdrug said it had notified the UK’s national fraud and cyber crime reporting centre, Action Fraud, about the incident.
Since the EU’s General Data Protection Regulation (GDPR) and GDPR-aligned UK data protection legislation came into effect, organisations are under increased pressure to ensure personal data is kept securely or face a range of punitive measures that could seriously affect their bottom line.
“Superdrug have not stated the hackers’ demands, but this could be the first case of attempted GDPR blackmail,” said Andy Norton, director of threat intelligence at security firm Lastline.
Read more about data breaches
- The US will bear the brunt of data exfiltration efforts by cyber criminals in the next five years, but Asia-Pacific nations such as Singapore will not be spared.
- In the first full quarter since Australia’s mandatory breach disclosure scheme came into effect, healthcare providers reported the most data breaches amid controversy over the national health record system.
- The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
- The fact that data breaches at FTSE 100 firms cost on average £120m in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy.
Ahead of the GDPR compliance deadline, industry commentators expressed fears that cyber criminals would see the potential punitive measures for data breaches introduced by the legislation as an opportunity to extort money from organisations by threatening to go public with evidence of a breach.
Along with healthcare service providers, retailers are a prime target for cyber attackers for obtaining personal data for identity theft, fraud and other criminal activities.
“Today, every consumer should be working under the assumption their personal information has been compromised many times over, and the latest Superdrug hack is a reminder they should watch their identities and credit for abuses,” said Sam Curry, chief security officer at security firm Cybereason.
Sanjay Ramnath, vice-president at security firm AlienVault, said it is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken.
“Complementing this with up-to-date threat intelligence data that can help identify emerging and popular threats against retailers. If compliance with industry standards like PCI DSS [payment card industry data security standard] and regulatory standards like GDPR are not found, then the consequences could be dire,” he said.
Changing passwords
Ramnath said any Superdrug customers contacted by the retailer should change their passwords or usernames not only on the Superdrug site, but also anywhere else they may have used that particular password to ensure criminals do not try to access other accounts.
To protect against post-breach damage, some retailers, e-commerce organisations, banks and financial institutions are implementing multi-layered security strategies using passive biometrics and behavioural analytics, according to Ryan Wilk, vice-president at NuData Security, a Mastercard company.
“These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen.”
