A computer criminal claims to have stolen the personal data and account information of 20,000 British pharmacy chain customers. On 21 August, certain customers of UK health and beauty retailer Superdrug received an email warning them about the "possible disclosure of [their] personal data." It wasn't long before that notice began making the rounds on Twitter. According to the service message written by CEO Peter Macnab, a computer criminal reached out to Superdrug on 20 August and informed the company that they had stolen 20,000 customers' shopping information. Macnab said the company responded to the claim by reviewing its systems. It discovered no evidence of an internal system compromise, raising the possibility for Superdrug of the criminal having obtained the information from other data breaches and successfully reused the credentials to attack its customers. With customers' login details, the criminal might have succeeded in stealing shoppers' names, physical addresses, dates of birth, phone numbers and point balances. Superdrug therefore recommended that customers change their passwords while it works with law enforcement to better understand what happened. As quoted in the data disclosure notice:
We have contacted the Police and Action Fraud (the UK's national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers' data incredibly seriously.
Superdrug confirmed the legitimacy of its service message on Twitter. Some customers weren't impressed, however. A few took offense at the company not having explicitly apologized for the possible security incident. https://twitter.com/LaganClaire/status/1031973001636536320 Others said that they were having trouble logging on to change their passwords. https://twitter.com/MrChrisWilson/status/1031964803898720257 https://twitter.com/EllenA1997/status/1031956863426994183?ref_src=twsrc%5Etfw The retailer acknowledged those login problems in a subsequent tweet and apologized for the resultant frustration and inconvenience. News of this potential data disclosure comes less than a month after Dixon's Carphone, one of the largest consumer electronics retailers in Europe, revealed that a 2017 data breach might have exposed 10 million records containing personal information.
