(Reuters) – British health and beauty retailer Superdrug has told its online customers to change their passwords after it was the victim of an extortion attempt from an individual claiming to have obtained shoppers’ personal information.
A woman walks past a branch of Superdrug in Loughborough, Britain. Aug 22, 2018. REUTERS/Darren Staples
The firm, part of the A.S Watson Group, said on Monday it was contacted by an individual claiming to have information on about 20,000 online customers and was seeking a ransom of 2 bitcoin – worth about $13,337 at current rates.
“We believe they obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” Superdrug said.
However, it said Superdrug’s independent security advisors confirmed there were no signs of a hack of its systems and also confirmed that the 386 accounts shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to the retailer.
“There is no evidence from our perspective … that Superdrug.com’s servers have been compromised,” a spokeswoman for the retailer said.
Superdrug said no payment card information had been compromised but said customers’ names, addresses and, in some instances, date of birth, phone number and loyalty points balances might have been accessed.
It has directly notified customers it believes may have had their accounts accessed.
“In line with good security practice, we are…