Britain's Superdrug says victim of extortion attempt
today Aug 22, 2018
British health and beauty retailer Superdrug has told its online customers to change their passwords after it was the victim of an extortion attempt from an individual claiming to have obtained shoppers' personal information.
The firm, part of the A.S Watson Group, said on Monday it was contacted by an individual claiming to have information on about 20,000 online customers and was seeking a ransom of 2 bitcoin - worth about $13,337 at current rates.
"We believe they obtained customers' email addresses and passwords from other websites and then used those credentials to access accounts on our website," Superdrug said.
However, it said Superdrug's independent security advisors confirmed there were no signs of a hack of its systems and also confirmed that the 386 accounts shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to the retailer.
"There is no evidence from our perspective ... that Superdrug.com's servers have been compromised," a spokeswoman for the retailer said.
Superdrug said no payment card information had been compromised but said customers' names, addresses and, in some instances, date of birth, phone number and loyalty points balances might have been accessed.
It has directly notified customers it believes may have had their accounts accessed.
"In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis," it said.
Superdrug has also contacted the police and Action Fraud - Britain's national fraud and cyber-crime arm.
Cyber attacks are becoming increasingly common in Britain.
Mobile phone and electricals retailer Dixons Carphone said in June it had become the victim of a major attack for the second time in three years after discovering unauthorised access to its payment card data.
In 2016, the Information Commissioner's Office fined broadband provider TalkTalk 400,000 pounds for security failings that allowed hackers to launch a cyber-attack in 2015.
© Thomson Reuters 2019 All rights reserved.