The health and beauty retail group Superdrug has advised online customers in Ireland to urgently change their passwords after the company was targeted by hackers claiming to have personal information on thousands of shoppers both here and in Britain.
It said it was advising Superdrug.com customers of a possible disclosure of personal information for up to 20,000 individuals, including names, addresses, dates of birth and phone numbers. The company said the information did not include payment card details.
The group, which has eight physical stores in Ireland and almost 800 across the UK, said it only had evidence of a small number of customer accounts being compromised. However, it was advising all customers with online accounts to change their passwords immediately as a precaution.
Superdrug said it was aware of some customers having difficulties accessing their accounts to update their passwords.
“We appreciate this is very frustrating and we are doing everything we can on this,” it said.
The retailer said it was contacted by an individual on Monday evening who claimed they had obtained a number of customers’ online shopping information and was seeking a ransom.
“We believe they obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website. The hacker claims that they have obtained information on approximately 20,000 customers; this has not been confirmed,” the company said.
“We have worked with our independent IT security advisors who have confirmed that there have been no signs of a hack of our systems (for example, there has been no mass data download or extraction from our systems), they also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug,” it added.
The retailer said it had contacted the relevant authorities about the incident.
Superdrug is one of a number of well-known retailers to be targeted by attackers. Late last month, Dixons Carphone said about 10 million records containing personal data of customers may have been obtained in a cyber attack last year.