A computer criminal claims to have stolen the personal data and account information of 20,000 British pharmacy chain customers.
On 21 August, certain customers of UK health and beauty retailer Superdrug received an email warning them about the “possible disclosure of [their] personal data.” It wasn’t long before that notice began making the rounds on Twitter.
According to the service message written by CEO Peter Macnab, a computer criminal reached out to Superdrug on 20 August and informed the company that they had stolen 20,000 customers’ shopping information.
Macnab said the company responded to the claim by reviewing its systems. It discovered no evidence of an internal system compromise, raising the possibility for Superdrug of the criminal having obtained the information from other data breaches and successfully reused the credentials to attack its customers.
With customers’ login details, the criminal might have succeeded in stealing shoppers’ names, physical addresses, dates of birth, phone numbers and point balances. Superdrug therefore recommended that customers change their passwords while it works with law enforcement to better understand what happened. As quoted in the data disclosure notice:
We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.
Superdrug confirmed the legitimacy of its service message on Twitter. Some customers weren’t impressed, however. A few took offense at the company not having explicitly apologized for the possible security incident.
No apology? Absolutely ridiculous you haven't protected customers information. I'll be closing my account. Superdrug obviously can't be trusted with my details.
— Claire Lagan (@LaganClaire) August 21, 2018
Others said that they were having trouble logging on to change their passwords.
Can not access my online account! Absolutely appalling that there wasn’t even an apology to go with that email! I’ve just had to change all my accounts to a different email address because I can’t log on! Your responsibility to secure everyone’s details!! Fuming!!
— Chris Wilson (@MrChrisWilson) August 21, 2018
I would be able to change my password but tried from 4 different devices and the website keeps giving me and internal server error. Not acceptable that I might have my details comprised and I can't change my password.
— Ellen Auckland (@EllenA1997) August 21, 2018
The retailer acknowledged those login problems in a subsequent tweet and apologized for the resultant frustration and inconvenience.
News of this potential data disclosure comes less than a month after Dixon’s Carphone, one of the largest consumer electronics retailers in Europe, revealed that a 2017 data breach might have exposed 10 million records containing personal information.