Britain's Superdrug says victim of extortion attempt

Send a link to a friend  Share

[August 22, 2018]  (Reuters) - British health and beauty retailer Superdrug has told its online customers to change their passwords after it was the victim of an extortion attempt from an individual claiming to have obtained shoppers' personal information.

A woman walks past a branch of Superdrug in Loughborough, Britain. Aug 22, 2018. REUTERS/Darren Staples

The firm, part of the A.S Watson Group, said on Monday it was contacted by an individual claiming to have information on about 20,000 online customers and was seeking a ransom of 2 bitcoin - worth about $13,337 at current rates.

"We believe they obtained customers' email addresses and passwords from other websites and then used those credentials to access accounts on our website," Superdrug said.

However, it said Superdrug's independent security advisors confirmed there were no signs of a hack of its systems and also confirmed that the 386 accounts shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to the retailer.

"There is no evidence from our perspective ... that Superdrug.com's servers have been compromised," a spokeswoman for the retailer said.

Superdrug said no payment card information had been compromised but said customers' names, addresses and, in some instances, date of birth, phone number and loyalty points balances might have been accessed.

It has directly notified customers it believes may have had their accounts accessed.

"In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis," it said.

Superdrug has also contacted the police and Action Fraud - Britain's national fraud and cyber-crime arm.

Cyber attacks are becoming increasingly common in Britain.

Mobile phone and electricals retailer Dixons Carphone said in June it had become the victim of a major attack for the second time in three years after discovering unauthorized access to its payment card data.

In 2016, the Information Commissioner's Office fined broadband provider TalkTalk 400,000 pounds for security failings that allowed hackers to launch a cyber-attack in 2015.

(Reporting by James Davey in London and Kanishka Singh in Bengaluru; Editing by Edmund Blair)

[© 2018 Thomson Reuters. All rights reserved.]

Copyright 2018 Reuters. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.  Thompson Reuters is solely responsible for this content.

 

Back to top