Tesla's Optimus Robot Everything From Tesla AI Day Bella Hadid's Spray-on Dress Hasbro's Indiana Jones Toy 'Hocus Pocus 2' Review AirPods Pro 2 Discount Meal Delivery Services Vitamins for Flu Season
Want CNET to notify you of price drops and the latest stories?
No, thank you

UK retailer Superdrug warns 20,000 customers of possible data theft

The chain says it was the victim of an extortion attempt.

High Street Stock
Superdrug says a hacker demanded a bitcoin ransom after claiming to have stolen customer data.
Getty Images

British pharmacy chain Superdrug told customers on Tuesday to change their passwords after a hacker claimed to have stolen personal data of 20,000 online shoppers.

The retailer said the hacker demanded a ransom of two bitcoin -- or currently about $13,000 -- on Monday, Reuters reported.

The hacker shared 386 accounts with the company as proof of the deed, but Superdrug's security advisers said that those details were obtained in a previous hacking attempt -- one unrelated to Superdrug -- and that there was no evidence Superdrug's servers were compromised.

Superdrug said in a statement that no payment information had been accessed, but customers' names, addresses, dates of birth, phone numbers and loyalty point balances may have been. Superdrug directly emailed the people believed to have been affected.

"In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis," Superdrug said in the statement. "We have contacted the Police and Action Fraud (the UK's national fraud and cyber-crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers' data incredibly seriously."

Superdrug's reaction to the hacking claim earned praise from Sarah Armstrong-Smith, chief of continuity and resilience at IT services provider Fujitsu UK and Ireland, who contrasted it with Uber's reaction to a 2017 data breach. "Cyber criminals are entrepreneurial, well-funded and well-motivated and instead of remaining reactive, businesses must transition to a proactive stance," she said in a statement.

In July, UK-based Dixons Carphone revealed that a 2017 cyberattack may have affected 10 million records containing personal data -- far more than its original estimate.