British beauty chain Superdrug has advised customers of a possible breach of personal data. The Superdrug hack is the latest in a long line of breaches in the retail sector, highlighting the attraction of the industry to would-be attackers.

The information provided by the company suggests that the breach, which came to light on 20th August, is relatively mild in comparison to other incidents, such as the recent Dixons Carphone data breach. No payment data was involved.

“There is no evidence that Superdrug’s systems have been compromised,” wrote Peter Macnab, CEO of Superdrug, in an email to customers.

“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website. The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386.”

The appeal of the retail sector to hackers

With so many retail companies becoming the target of attacks, it’s clear that this industry is of particular risk from cyberattacks.

“This underscores the attractiveness of the retail sector as a target for cyberattacks,” said Sanjay Ramnath, VP at AlienVault.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“It is critical then for organisations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken.”

“At a time when there are concerns about the health of the UK high street it’s concerning to see another large retailer having to acknowledge a breach of user accounts and potential loss of data,” added Steven Peake, technical engineer at Barracuda Networks Limited.

Was the Superdrug hack the first case of GDPR blackmail?

It is well-known how expensive a breach can be for retailers in the post-GDPR world, with the worst offenders at risk of being fined up to 4% of their annual global revenue.

As a result, there is more incentive than ever for retailers to contain and minimise such a breach, which may be why the attackers appear to have ransomed the bulk of the alleged 20,000 customers’ data.

“Whilst there is little detail in the communications to date, the hacker has clearly released a number of stolen records to Superdrug, to prove they have some portion of customer information,” said  Andy Norton, director of threat intelligence at Lastline.

“Superdrug have not stated the hackers demands but this could be the first case of attempted GDPR blackmail.”

Attacks across multiple retailers

The nature of the Superdrug hack supports established cybersecurity advice about the advisability of using the same password across multiple accounts.

The attackers likely purchased the collection of data from other historic breaches or from phishing scams to the users’ email addresses. This shows how using the same credentials across multiple online platforms risks giving attackers the ability to complete an account takeover attack,” said Peake.

“Using single passwords per online platform is no longer just a good idea. It is an everyday requirement.”

Retailers, then, should take additional steps to encourage users to vary their passwords.

“The sooner that users receive training on these best practices the better, before the goodwill towards high street retailers erodes entirely.”