Superdrug targeted by hackers who claim to have 20,000 customer details

Health and beauty retailer advises online customers to change their passwords

Superdrug has advised its online customers to change their passwords after the high street chain was targeted by hackers claiming to have stolen the personal details of thousands of people.

The health and beauty retailer told customers it had been contacted by a group on Monday evening claiming to have obtained the details of 20,000 customers, including names, addresses, dates of birth and phone numbers.

Superdrug said in the email to customers the company had only seen evidence so far that 386 of the accounts had been compromised.

A spokeswoman said: “The hacker shared a number of details with us to try to prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.”

To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.

— Superdrug (@superdrug) August 21, 2018

The company said the information stolen did not include payment card information.

“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” it said.

Advising customers to change their passwords, Superdrug added: “We take our responsibility to protect your personal information very seriously and that is why we have let our customers know as soon as we could.

“We have contacted the police and Action Fraud [the UK’s national fraud and cyber-crime arm] and will be offering them all the information they need for their investigation.”

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

Superdrug said it was aware that some customers had found they were unable to change their passwords when trying to do so and apologised for the inconvenience.

“We appreciate this is very frustrating and we are doing everything we can on this,’ the company said.

One customer said she had tried and failed to change her password on four different devices.

I would be able to change my password but tried from 4 different devices and the website keeps giving me and internal server error. Not acceptable that I might have my details comprised and I can't change my password.

— Ellen Auckland (@EllenA1997) August 21, 2018

Superdrug is the latest high street retailer to report a data breach. Last month Dixons Carphone said personal data belonging to 10 million customers may have been accessed illegally last year, nearly 10 times as many as the firm initially thought.

The electronics retailer had estimated the attack – one of the biggest-ever data breaches – involved 1.2m personal records when it first reported the breach in June.


Angela Monaghan

The GuardianTramp

Related Content

Article image
20 ways to keep your internet identity safe from hackers

Cybercrime costs Britain £27bn a year, and it could cost you dear too if you don't take basic precautions. James Silver asked experts for their top tips

James Silver

11, May, 2013 @11:01 PM

Article image
EasyJet reveals cyber-attack exposed 9m customers' details
Airline apologises after credit card details of about 2,200 passengers were stolen

Jasper Jolly

19, May, 2020 @11:13 AM

Article image
GCHQ cybersecurity experts investigate Dixons Carphone data breach
Electronics retailer apologises for breach involving 5.9m customers’ bank card details

Angela Monaghan

13, Jun, 2018 @3:42 PM

Article image
JD Sports hit by cyber-attack that leaked 10m customers’ data
Retail group says incident affected shoppers at JD, Size?, Millets, Blacks, Scotts and Millets Sport brands

Mark Sweney

30, Jan, 2023 @11:06 AM

Article image
Lloyds bank accounts targeted in huge cybercrime attack
Banking group says none of its 20m accounts were hacked or compromised after fending off two-day denial of service attack

Patrick Collinson

23, Jan, 2017 @12:20 PM

Hackers humiliate Amazon

Intruders had access to customer credit details for four months at site owned by world's biggest e-tailer.

Stuart Millar, technology correspondent

08, Mar, 2001 @12:00 AM

Hackers claim the ultimate scalp

In cyberspace, nobody is safe. A group of computer hackers has claimed the ultimate scalp by bringing the website of the world's premier anti-hacking centre to its knees for three consecutive days.

Stuart Millar, technology correspondent

25, May, 2001 @12:23 AM

Article image
BA chief pledges to compensate customers after data breach
Álex Cruz apologises for ‘sophisticated’ theft affecting 380,000 payment cards

Sarah Marsh

07, Sep, 2018 @8:09 AM

Article image
Carphone Warehouse hackers may have accessed 2.4m customers' data
Initial investigation suggests customers’ names, addresses, dates of birth and bank details may have been accessed

Mark Townsend and Jamie Grierson

09, Aug, 2015 @8:01 AM

Article image
Lizard Squad's LizardStresser site hacked with customer details leaked
Researcher claims hacker group took $11k worth of bitcoin payments for its DDoS service, but stored usernames and passwords in plain text

Stuart Dredge

19, Jan, 2015 @11:35 AM