View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 22, 2018

Superdrug to “Hackers”: No Evidence You’ve Pwned Our Systems

Fortunately the credit card details of customers don’t appear to be held to ransom at this stage

By CBR Staff Writer

High Street chain Superdrug says there is no evidence that its systems have been compromised, essentially calling the bluff of “hackers” who claimed to have secured the customer data of 20,000 customers and were allegedly hoping to extort the chain into paying up for their silence.

The company has been sending out emails to its customers to inform them that their privacy has been breached, but Superdrug continues to assert that there is no evidence its systems have been hacked – nor that the compromised accounts of its users number anything near the alleged 20,000.

In an email blast sent out Tuesday, Superdrug stated that: “On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information… There is no evidence that Superdrug’s systems have been compromised.”

The hackers claim to have obtained the customer data of 20,000 Superdrug users, yet the company says it has only seen evidence of 386.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

GDPR Ransom?

Dr Jamie Graves, CEO and founder of ZoneFox commented in emailed statement that: “It’s still not yet clear exactly how hackers got hold of Superdrug customer details, and this lack of clarity is already causing concern among customers. It could have been a low-technology simple phishing scam or something more complex.”

“Following in the footsteps of the recent Dixons Carphone and Ticketmaster breaches, both Superdrug and the retail sector as a whole must learn lessons from what is now becoming a litany of major UK companies losing control of customer data.”

Superdrug has contacted the Police and Action Fraud authority about the hackers demands and will be working with them to move the investigation forward. In doing this and contacting their customers to inform them of the potential breach Superdrug has stayed on the right side of the GDPR sword of Damocles.

If the hackers hoped to quietly leave a ransom note with the intent that Superdrug will be quiet and cover up the supposed breach (GDPR fines can be based on the scale of a breach) they were sorely mistaken.

Time for an Authentification Rethink?

Andy Cory, Identity Management Services lead at KCOM told Computer Business Review: “A company can mandate all the passwords they want, but they cannot force customers to keep them secret. While consumers value security, they often lack the awareness to know when they have compromised their own.

“While a customer’s security weakness does not help, a weak authentication system is a company’s problem as well as its responsibility. If a business cannot provide easy access to its services or a secure sign-in process for its customers, it only has itself to blame when its users desert.”

He added: “Fortunately, there is a way to achieve the best of both worlds. If customers grumble at sign-in procedures and cannot be depended on to keep their security information safe, then the process can and should be removed. This is not to recommend that identity access management be taken out of the equation, only that the legwork is transferred from the customer to the business – organisations need to make the process simple and time efficient for their customers.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.