Superdrug

Superdrug, also known as Superdrug Stores plc, is a United Kingdom-headquartered organisation operating within the retail sector. Its core business involves providing health, beauty, and wellness products directly to consumers. The company maintains a physical store presence alongside an online platform, facilitating customer purchases and engagement through digital channels. This dual-channel approach is common among major retailers seeking to serve customers both in-person and remotely.

The organisation experienced a significant cybersecurity incident on August 20, 2018. Hackers successfully accessed approximately 20,000 customer records by exploiting reused credentials obtained from breaches on unrelated websites, a technique known as credential stuffing. The compromised data included sensitive customer information such as names, addresses, email addresses, and passwords. In certain instances, dates of birth, phone numbers, and loyalty points balances were also exposed; however, payment card information remained secure and was not accessed during this breach. Following the incident, the attackers directly contacted Superdrug, claiming possession of the stolen customer data. This contact suggested the possibility of an extortion attempt alongside the initial breach. In response, Superdrug notified relevant law enforcement agencies and proactively advised affected customers to update their passwords as a precautionary security measure. The incident highlighted risks associated with password reuse across multiple online services.