British beauty chain Superdrug has advised customers of a possible breach of personal data. The Superdrug hack is the latest in a long line of breaches in the retail sector, highlighting the attraction of the industry to would-be attackers.
The information provided by the company suggests that the breach, which came to light on 20th August, is relatively mild in comparison to other incidents, such as the recent Dixons Carphone data breach. No payment data was involved.
“There is no evidence that Superdrug’s systems have been compromised,” wrote Peter Macnab, CEO of Superdrug, in an email to customers.
“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website. The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386.”
The appeal of the retail sector to hackers
With so many retail companies becoming the target of attacks, it’s clear that this industry is of particular risk from cyberattacks.
“This underscores the attractiveness of the retail sector as a target for cyberattacks,” said Sanjay Ramnath, VP at AlienVault.
“It is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken.”
“At a time when there are concerns about the health of the UK high street it’s concerning to see another large retailer having to acknowledge a breach of user accounts and potential loss of data,” added Steven Peake, technical engineer at Barracuda Networks Limited.
Was the Superdrug hack the first case of GDPR blackmail?
It is well-known how expensive a breach can be for retailers in the post-GDPR world, with the worst offenders at risk of being fined up to 4% of their annual global revenue.
As a result, there is more incentive than ever for retailers to contain and minimise such a breach, which may be why the attackers appear to have ransomed the bulk of the alleged 20,000 customers’ data.
“Whilst there is little detail in the communications to date, the hacker has clearly released a number of stolen records to Superdrug, to prove they have some portion of customer information,” said Andy Norton, director of threat intelligence at Lastline.
“Superdrug have not stated the hackers demands but this could be the first case of attempted GDPR blackmail.”
Attacks across multiple retailers
The nature of the Superdrug hack supports established cybersecurity advice about the advisability of using the same password across multiple accounts.
The attackers likely purchased the collection of data from other historic breaches or from phishing scams to the users’ email addresses. This shows how using the same credentials across multiple online platforms risks giving attackers the ability to complete an account takeover attack,” said Peake.
“Using single passwords per online platform is no longer just a good idea. It is an everyday requirement.”
Retailers, then, should take additional steps to encourage users to vary their passwords.
“The sooner that users receive training on these best practices the better, before the goodwill towards high street retailers erodes entirely.”
Verdict deals analysis methodology
This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.