Beauty and healthcare products retailer Superdrug Stores PLC recently suffered a cyber incident that compromised names, addresses, and in some cases, phone numbers and dates of birth of customers. Fortunately, no payment card information of customers was compromised during the incident.
Superdrug announced the breach in emails to affected customers and also mentioned the same in its social media handles, informing readers that it has informed Action Fraud UK about the cyber incident and is cooperating with law enforcement to investigate the breach.
"Today we have been communicating with our Superdrug.com customers to advise them of an event which may have resulted in the possible disclosure of some customers' personal information. This does not include payment card information but could include customers' names, addresses and, in some cases, date of birth, phone number and points balances.
"We take our responsibility to protect your personal information very seriously and that is why we have let our customers know as soon as we could. We have contacted the Police and Action Fraud (the UK's national fraud and cyber-crime arm) and will be offering them all the information they need for the investigation," Superdrug said.
Was it another credential-stuffing attack?
In a statement, the company also mentioned that it believes cyber criminals may have accessed accounts on its website after obtaining email addresses and passwords from other websites. It added that only 386 customers may have been actually affected by the breach, instead of the 20,000 that hackers behind the operation are claiming.
"From the information available, while 386 or so Superdrug customer accounts were compromised, there isn't a whole lot of information on how the cyber-hackers actually obtained the usernames and passwords. I expect that we will learn more about this as they investigate the breach further. However, this underscores the attractiveness of the retail sector as a target for cyber-attacks," said Sanjay Ramnath, VP at AlienVault.
"It is critical then for organizations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken. Complimenting this with up-to-date threat intelligence data that can help identify emerging and popular threats against retailers. If compliance with industry standards like PCI and regulatory standards like GDPR are not found, then the consequences could be dire," he added.
Back in August, security firm Shape Security noted in its 2018 Credential Spill Report that over 90 percent of login attempts on websites owned by online retailers are made by cyber criminals looking to gain access to loyalty points, offers, and deals made available by retailers for genuine customers.
Based on an analysis of 1.6 billion accounts, Shape Security found that well-planned and targeted credential stuffing attacks also cost organisations dear as about 3 percent of such attacks usually succeed. E-commerce retailers lose an average of $6 billion a year, banks lose $1.7 billion a year, and hotel and airline companies lose $700 million every year to credential stuffing attacks.
"Although happily, payment data was not exposed, the personally identifiable information held hostage can easily fuel synthetic identity fraud and identity theft. With these types of fraud, personally identifiable information such as name, address, or date of birth are traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft.
"This is why retailers, along with eCommerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics. These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen," said Ryan Wilk, vice president at NuData Security.