Tue. Jul 14th, 2020

Nearly 20,000 customers of Superdrug have been leaked

2 min read
According to the British media Daily Mail, hackers contacted Superdrug on Monday (August 20th) night, saying they had obtained detailed personal information about 20,000 Superdrug customers. As evidence, the hacker also showed Superdrug an own information record of 386 Superdrug customers.
Superdrug, a well-known British drug store, was founded in 1964. It specializes in health and beauty. It has more than 800 physical stores in the UK and was acquired by A.S. Watson in October 2002. Superdrug mainly sells skin care products, health products and daily necessities, including some well-known international brands such as Nivea, Maybelline, Real Techniques and John Frieda.
A spokesperson for Superdrug said: “The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.”
After Superdrug confirmed, the personal information that was accessed and stolen by the hacker included the customer’s name, address, and the date of birth, phone number, and points balance for some customers. The only good news is that it does not include the customer’s payment card information.
Superdrug has sent an email to every potentially affected customer asking them to change their password and suggested that they should be replaced periodically in the future. The email wrote: “We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.”
Superdrug also wrote in a tweet posted on Tuesday: “To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.”
However, Superdrug is still trying to downplay the incident, insisting that the hacked hacking credentials were obtained from invading third parties, not through the invasion of Superdrug’s system. The reason for further access to the detailed personal information of Superdrug customers is that hackers take advantage of the habit of using the same passwords in various online services.
At the moment, we are still unable to determine the authenticity of the Superdrug statement. The only certainty is that the personal information of Superdrug customers has indeed been leaked. The purpose of the hacker is most likely to ransom the Superdrug, but the truth of the matter remains to be investigated by the police.