Cyber criminals hold Superdrug to ransom with alleged data breach

Superdrug has been held to ransom by hackers who claim to have information on a ledger of approximately 20,000 of its online customers.

The information did not include card payment details, but possible disclosure could include names, addresses, birthdays, phone numbers and a points balance which the firm said was obtained via access to other websites.

Those who may have had their data harvested were then sent a prompt to change their password by the firm.

The retailer has since contacted the Police and Action Fraud and said that it had been communicating with its online customers to advise them of the event.

In a statement today on Twitter (pictured), the high-street chain apologized for the inconvenience and advised customers to change their passwords frequently as a security measure.

Although cyber is a relatively new risk, many insurance policies will not have this explicitly written into them.

Tracey Skinner, one of Airmic’s board members and insurance director at BT Group, said that cyber insurance is a “partnership.” Companies now have an added first-party risk that could interrupt business on top of third-party risk which could affect customers.

A spokesperson for Superdrug said: “We continue to take the responsibility of safeguarding our customers’ data very seriously.”

The high street chain said it had been called by someone on Monday 20 August who claimed that they had got hold of personal data from its online customers and used certain details to ‘prove’ he had this information.

However, the stores independent IT security advisors said that the 386 accounts shared as “proof of the attack” were those obtained in a previous hack and unrelated to the store.

A spokesperson from Action Fraud said: “If you think you have been a victim of fraud as a result of a data breach, please report it to Action Fraud either online or by calling 0300 123 2040.”

Cyber covers have ”shifted from its origins” as ransomware peaks

James Burns, cyber product leader at CFC Underwriting, said: “This is not a particularly big incident given the numbers involved and whilst it’s not clear what data was compromised, it doesn’t appear to be very sensitive information.

“One interesting thing to note is the reaction of Superdrug’s customers to how they communicated the breach – the blame is being squarely pointed at Superdrug even though they confirm that there is no evidence that they themselves have been breached and that it is entirely possible that the customer data in question has been obtained elsewhere (brings into focus the whole concept of “phantom breaches” – where an entity may not have been breached themselves but their customer details have been gleaned and pieced together from other breaches).

Skinner noted recently that the focus of cyber covers has “shifted from its origins” and it continues to evolve.

This can be seen from AIG Europe’s cyber claims report which shows ransomware was the most popular form of attack in 2017, and it warned that GDPR could worsen things. The report found that over a quarter of claims last year were a result of ransomware attacks. 

Burns, added: “This is of course is part of the growing trend in data breach events that we’re seeing in the UK and globally. This also doesn’t seem to be a “straight up” data breach but actually an attempted extortion of Superdrug – also something that we have seen much more of recently.”

After a spate of cyber-attacks in the UK, the worst hit being the NHS being targeted by the WannaCry virus last May, which triggered the cancellation of around 20,000 hospital appointments and operations.

This year, in April, the NHS announced that it was allocating £150m to bolster its online security system.

Twitter was also subject to a bug that exposed its 330m users’ passwords in May this year, the firm urged its customers to change their passwords.

Whilst last year, Dixons Carphone was targeted with customer data being illegally accessed from 1.2 million of its customers, however due to an ongoing investigation the firm has now said that the figure was around 10m, and it indicated that there may have been an ”attempt to compromise” 5.9m credit card numbers in its processing system.