A computer criminal claims to have stolen the personal data and account information of 20,000 British pharmacy chain customers.
On 21 August, certain customers of UK health and beauty retailer Superdrug received an email warning them about the “possible disclosure of [their] personal data.” It wasn’t long before that notice began making the rounds on Twitter.
According to the service message written by CEO Peter Macnab, a computer criminal reached out to Superdrug on 20 August and informed the company that they had stolen 20,000 customers’ shopping information.
Macnab said the company responded to the claim by reviewing its systems. It discovered no evidence of an internal system compromise, raising the possibility for Superdrug of the criminal having obtained the information from other data breaches and successfully reused the credentials to attack its customers.
With customers’ login details, the criminal might have succeeded in stealing shoppers’ names, physical addresses, dates of birth, phone numbers and point balances. Superdrug therefore recommended that customers change their passwords while it works with law enforcement to better understand what happened. As quoted in the data disclosure notice:
We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.
Superdrug confirmed the legitimacy of its service message on Twitter. Some customers weren’t impressed, however. A few took offense at the company not having explicitly apologized for the possible security incident.
No apology? Absolutely ridiculous you haven’t protected customers information. I’ll be closing my account. Superdrug obviously can’t be trusted with my details.
— Claire Lagan (@LaganClaire) August 21, 2018
Others said that they were having trouble logging on to change their passwords.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/criminal-claims-they-stole-20k-british-pharmacy-chain-customers-data/