UK retailer Superdrug warns 20,000 customers of possible data theft

The chain says it was the victim of an extortion attempt.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Sean Keane
2 min read
High Street Stock

Superdrug says a hacker demanded a bitcoin ransom after claiming to have stolen customer data.

Getty Images

British pharmacy chain Superdrug told customers on Tuesday to change their passwords after a hacker claimed to have stolen personal data of 20,000 online shoppers.

The retailer said the hacker demanded a ransom of two bitcoin -- or currently about $13,000 -- on Monday, Reuters reported.

The hacker shared 386 accounts with the company as proof of the deed, but Superdrug's security advisers said that those details were obtained in a previous hacking attempt -- one unrelated to Superdrug -- and that there was no evidence Superdrug's servers were compromised.

Superdrug said in a statement that no payment information had been accessed, but customers' names, addresses, dates of birth, phone numbers and loyalty point balances may have been. Superdrug directly emailed the people believed to have been affected.

"In line with good security practice, we are advising all our customers to change their passwords now and on a frequent basis," Superdrug said in the statement. "We have contacted the Police and Action Fraud (the UK's national fraud and cyber-crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers' data incredibly seriously."

Superdrug's reaction to the hacking claim earned praise from Sarah Armstrong-Smith, chief of continuity and resilience at IT services provider Fujitsu UK and Ireland, who contrasted it with Uber's reaction to a 2017 data breach. "Cyber criminals are entrepreneurial, well-funded and well-motivated and instead of remaining reactive, businesses must transition to a proactive stance," she said in a statement.

In July, UK-based Dixons Carphone revealed that a 2017 cyberattack may have affected 10 million records containing personal data -- far more than its original estimate.