Cyber Incident Victim: Superdrug

On August 20, 2018, Superdrug Stores plc was contacted by hackers claiming possession of personal data belonging to approximately 20,000 customers from its online shopping platform. The attackers alleged access to customer information but did not provide evidence of compromising Superdrug’s internal systems. The company initiated an investigation and confirmed the potential exposure of limited customer data, explicitly stating payment card details were unaffected. Analysis indicated the breach likely resulted from credential stuffing, where attackers reused email addresses and passwords obtained from unrelated third-party website breaches to gain unauthorized access to Superdrug customer accounts. The compromised data included names, postal addresses, and in some cases dates of birth, phone numbers, and loyalty points balances. Superdrug identified only 386 accounts with confirmed unauthorized access, contradicting the hackers’ initial claim of 20,000 affected records.

Superdrug notified affected customers via email on August 21, 2018, advising password changes and ongoing vigilance. The company reported the incident to law enforcement agencies, including Action Fraud, and committed to providing investigative support. Internal findings suggested the attackers sought financial extortion in exchange for withholding the data. No direct evidence of system vulnerabilities or malware within Superdrug’s infrastructure was identified. The incident primarily impacted customers who reused credentials across multiple online services. Superdrug emphasized regular password updates as a protective measure but did not disclose specific technical remediation steps taken. Business operations continued without interruption, with no reported financial losses or regulatory penalties linked to the event at the time of disclosure.