Superdrug has warned that 20,000 customers may have had their details stolen, though they have found no evidence to suggest hackers took it from their own systems.
On Monday night, the company emailed customers who have purchased products online to notify them of the possible breach, explaining that their names, addresses, dates of birth, phone numbers and bonus card point balances may have been taken. They said no payment information has been accessed.
The email read: “On the evening of 20th August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information. There is no evidence that Superdrug’s systems have been compromised.”
The company said the hacker has claimed to have obtained information on approximately 20,000 customers, but said it had only seen evidence of 386.
In a statement issued to HuffPost UK on Wednesday morning, a Superdrug spokesperson added that following further investigation from “independent IT security advisors” they found “no signs of a hack of our systems”.
A spokesperson said there had been “no mass data download or extraction” from Superdrug’s systems.
“They [The IT security advisors] also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug.”
Customers are being advised to change their passwords. As people have rushed to do so, some have suffered difficulties logging on to the website and Superdrug also “apologise for any inconvenience caused”.
Superdrug has contacted the Police and Action Fraud, who oversee national fraud and cyber-crime cases.
The Information Commissioner’s’ Office (ICO), the UK’s independent body which upholds information rights, said that they have “been made aware of a potential incident involving Superdrug and will be making enquiries”.
The possible data breach comes just one month after high street retailer Dixons Carphone Warehouse apologised after revealing that a 2017 breach of its systems resulted in 8.8 million customer records being accessed.
Dixons Carphone chief executive Alex Baldock said at the time: “We’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”