Yesterday evening, Superdrug contacted its customers about a data breach affecting a reported 20,000 individuals.

In an email, the company said: “on the evening of the 20th of August, we were contacted by hackers who claimed they have obtained a number of our customer’s online shopping information. There is no evidence that Superdrug systems have been compromised.”

The email continued “The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386”.

It said it believed the criminals had got customers’ email addresses and passwords from other websites “and then used those credentials to access accounts on our website”.

The types of personal information stolen were:

Names

Addresses

Dates of birth

Phone numbers

Point balances

Password advice

Superdrug’s email suggests that customers log in and change their password now “and on an on-going, frequent basis”.

To me, and many other security professionals, that’s bad advice. I don’t know about you, but I have around 90 online accounts – if I get into the habit of changing my passwords every 6 months, I’ll very quickly run out of ideas, which will either make me use weak passwords or use the same password across multiple accounts. Superdrug should be encouraging customers to use a password manager.

Were they breach ready?

As we often say, all organisations should prepare themselves for a data breach. Superdrug’s advice on passwords comes across as a knee-jerk reaction. If they are up to date with latest security practice and spend time with people in the industry, they’d know that many security professionals would have offered different advice.

Their statement also makes no comment about informing the ICO (Information Commissioner’s Office) about this data breach. If they haven’t, then they really ought to.

More information on this story will be posted when it becomes available.