British beauty chain Superdrug has advised customers of a possible breach of personal data. The Superdrug hack is the latest in a long line of breaches in the retail sector, highlighting the attraction of the industry to would-be attackers.

The information provided by the company suggests that the breach, which came to light on 20th August, is relatively mild in comparison to other incidents, such as the recent Dixons Carphone data breach. No payment data was involved.

“There is no evidence that Superdrug’s systems have been compromised,” wrote Peter Macnab, CEO of Superdrug, in an email to customers.

“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website. The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386.”

The appeal of the retail sector to hackers

With so many retail companies becoming the target of attacks, it’s clear that this industry is of particular risk from cyberattacks.

“This underscores the attractiveness of the retail sector as a target for cyberattacks,” said Sanjay Ramnath, VP at AlienVault.

“It is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken.”

“At a time when there are concerns about the health of the UK high street it’s concerning to see another large retailer having to acknowledge a breach of user accounts and potential loss of data,” added Steven Peake, technical engineer at Barracuda Networks Limited.

Was the Superdrug hack the first case of GDPR blackmail?

It is well-known how expensive a breach can be for retailers in the post-GDPR world, with the worst offenders at risk of being fined up to 4% of their annual global revenue.

As a result, there is more incentive than ever for retailers to contain and minimise such a breach, which may be why the attackers appear to have ransomed the bulk of the alleged 20,000 customers’ data.

“Whilst there is little detail in the communications to date, the hacker has clearly released a number of stolen records to Superdrug, to prove they have some portion of customer information,” said  Andy Norton, director of threat intelligence at Lastline.

“Superdrug have not stated the hackers demands but this could be the first case of attempted GDPR blackmail.”

3 Things That Will Change the World Today

Attacks across multiple retailers

The nature of the Superdrug hack supports established cybersecurity advice about the advisability of using the same password across multiple accounts.

The attackers likely purchased the collection of data from other historic breaches or from phishing scams to the users’ email addresses. This shows how using the same credentials across multiple online platforms risks giving attackers the ability to complete an account takeover attack,” said Peake.

“Using single passwords per online platform is no longer just a good idea. It is an everyday requirement.”

Retailers, then, should take additional steps to encourage users to vary their passwords.

“The sooner that users receive training on these best practices the better, before the goodwill towards high street retailers erodes entirely.”