Superdrug says data was obtained in an unrelated attack

Superdrug, one of the UK’s largest health and beauty chains, has asked users of its online service to change passwords, following a security incident on Monday that may have compromised the information of approximately 20,000 people.

The retailer said that it had been contacted by a lone assailant on Monday evening who claimed that they had obtained customer email addresses and passwords, asking for a ransom of 2 bitcoin (about $13,000) to secure the information.

“We believe they obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” Superdrug said in a released statement, adding that its security team had confirmed that there had been no breach to the company’s network.

“For example, there has been no mass data download or extraction from our systems,” Superdrug said.

“They also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug.”

Police and UK crime force Action Fraud were subsequently contacted, and whether the information of 20,000 customers was affected has yet to be determined.

Superdrug said: “We confirm that no payment card information has been compromised.  In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis.”

The health and beauty giant said that further sensitive information like date of births and phone numbers may have also been accessed.

The assailant has still not been identified by authorities, as the investigation continues. It is believed that no ransom was paid.

RELATED Dixons Carphone admits breach affected 9m more customers