High Street chain Superdrug says there is no evidence that its systems have been compromised, essentially calling the bluff of “hackers” who claimed to have secured the customer data of 20,000 customers and were allegedly hoping to extort the chain into paying up for their silence.

The company has been sending out emails to its customers to inform them that their privacy has been breached, but Superdrug continues to assert that there is no evidence its systems have been hacked – nor that the compromised accounts of its users number anything near the alleged 20,000.

In an email blast sent out Tuesday, Superdrug stated that: “On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information… There is no evidence that Superdrug’s systems have been compromised.”

The hackers claim to have obtained the customer data of 20,000 Superdrug users, yet the company says it has only seen evidence of 386.

GDPR Ransom?

Dr Jamie Graves, CEO and founder of ZoneFox commented in emailed statement that: “It’s still not yet clear exactly how hackers got hold of Superdrug customer details, and this lack of clarity is already causing concern among customers. It could have been a low-technology simple phishing scam or something more complex.”

“Following in the footsteps of the recent Dixons Carphone and Ticketmaster breaches, both Superdrug and the retail sector as a whole must learn lessons from what is now becoming a litany of major UK companies losing control of customer data.”

Superdrug has contacted the Police and Action Fraud authority about the hackers demands and will be working with them to move the investigation forward. In doing this and contacting their customers to inform them of the potential breach Superdrug has stayed on the right side of the GDPR sword of Damocles.

If the hackers hoped to quietly leave a ransom note with the intent that Superdrug will be quiet and cover up the supposed breach (GDPR fines can be based on the scale of a breach) they were sorely mistaken.

Time for an Authentification Rethink?

Andy Cory, Identity Management Services lead at KCOM told Computer Business Review: “A company can mandate all the passwords they want, but they cannot force customers to keep them secret. While consumers value security, they often lack the awareness to know when they have compromised their own.

“While a customer’s security weakness does not help, a weak authentication system is a company’s problem as well as its responsibility. If a business cannot provide easy access to its services or a secure sign-in process for its customers, it only has itself to blame when its users desert.”

He added: “Fortunately, there is a way to achieve the best of both worlds. If customers grumble at sign-in procedures and cannot be depended on to keep their security information safe, then the process can and should be removed. This is not to recommend that identity access management be taken out of the equation, only that the legwork is transferred from the customer to the business – organisations need to make the process simple and time efficient for their customers.”