It was reported that Superdrug had warned its online customers to change their passwords after criminals claimed to have obtained their personal details. The chain said the group claimed they had stolen details of 20,000 customers. IT security experts commented below.
Dr Guy Bunker, SVP of Products at Clearswift:
“The first thing to consider as a consequence of this breach is GDPR. Only time will tell but we may see Superdrug fined because of the hack.
“The second is whether the proposed method of the attack – with the attackers finding other ways of obtaining usernames and passwords from somewhere else and then using those to brute force an attack on the Superdrug site – was actually used. Now, Superdrug is claiming that this approach may well be what has been used, in which case it wasn’t them who lost the information, and so implying they are not to blame in any way. Therefore, shouldn’t be fined under GDPR or any other compliance case.
“If the latter is true, brute force based on found credentials, then this type of attack will become increasingly commonplace, and the onus goes back on customers to look after their credentials and not to use the same passwords for multiple sites.
“In this case, by going public Superdrug evidently isn’t paying those who are trying to blackmail them and, by bringing to light the method by which the customer data was obtain, is also showing how it will be difficult for legislators to prove where data might have come from in case of a GDPR claim.”
Andy Cory, Identity Management Services lead at KCOM:
“A company can mandate all the passwords they want, but they cannot force customers to keep them secret. While consumers value security, they often lack the awareness to know when they have compromised their own. Users must regularly update the passwords on all their commonly-used apps to make sure that their fail-safes are protected. They must also avoid the temptation to reuse passwords between services.
“The key is to remember that security decays with time. The longer you go between password changes and identity checks, the more likely you are to suffer a breach. Consumers and companies alike need to conduct regular health checks and keep their security on its toes.
“While a customer’s security weakness does not help, a weak authentication system is a company’s problem as well as its responsibility. If a business cannot provide easy access to its services or a secure sign-in process for its customers, it only has itself to blame when its users desert.
“Fortunately, there is a way to achieve the best of both worlds. If customers grumble at sign-in procedures and cannot be depended on to keep their security information safe, then the process can and should be removed. This is not to recommend that identity access management be taken out of the equation, only that the legwork is transferred from the customer to the business – organisations need to make the process simple and time efficient for their customers.”
Martin Jartelius, CSO at Outpost24:
“Based on the company information, the data held has very little value to the attackers, which is likely why they have turned to extortion. Obtaining this data and using it to blackmail data controllers will likely be a rising trend due to the GDPRs fines and the limited understanding of what the fines are based on. Data which earlier held little or no financial value to an attacker can now, due to the legislation put in place to protect it, be financially more interesting for attackers to obtain.
It should be noted that by being open rather than paying the criminals, Superdrug have taken the responsible call. When a breach is suspected to have occurred, it is the obligation of the data controller to inform affected individuals without delay. At this time, it still seems uncertain how the breach occurred, or how many individuals are affected. Due to this, the only way to meet regulatory requirements is to inform everyone. The GDPR does not protect us all from breaches, it does however act to give a better guarantee that we will be informed when said breaches occur.”
Jonny Milliken, Manager, Research Team at Alert Logic:
“What’s worth reiterating is that other retailers need to take these notifications as a warning on two fronts. 1) Your high street peers are being attacked, you could be next. Ensure you’re investing appropriately in your protection systems and staff training. 2) Attackers can linger for a long time in compromised networks. Ensure you have people actively looking for signs of compromise and go do that right now – better to find out and remediate internally than an attacker emailing you on a Monday evening.”
David Jacoby, Senior Security Researcher, Global Research & Analysis Team at Kaspersky Lab:
“With so many people using Superdrug to buy their everyday beauty products, it is no surprise that their customer’s data is a target for cybercriminals. It is important for Superdrug – and all businesses – to have an effective cyber-security strategy in place before it becomes a target. Companies should also implement measures to secure customer data, so that if data is compromised in a breach, passwords and other sensitive details are not made available to threat actors. In addition, consumers should ensure that they are doing everything they can to protect themselves, including changing their passwords regularly.”
Jesper Frederiksen, Head of EMEA at Okta:
“The latest hack on Superdrug highlights the archaic processes involved with password data breaches. While the retailer was quick to ask its consumers to change their passwords, how many consumers will take notice and actually do this before the information is already tapped into? According to Verizon’s 2017 Data Breach Investigation Report, 81% of hacking related breaches are caused by compromised security credentials, showing that organisations must evolve from solely relying on passwords as a standalone form of protection.
And in the era of GDPR, businesses of all sizes should be aware of the major financial and reputational damage involved with data breaches, requiring businesses to look at stronger ways to protect important information. In the near future, retailers may choose to scrap passwords altogether and go for a “passwordless” society, where user authentication is enabled based on a number of contextual factors such as device trust and IP geolocation. This would sit as part of a discrete identity system that removes any reliance on personal information, eradicating the value of personal information to hackers and thus boosting safety in the process.”
Sam Curry, Chief Security Officer at Cybereason:
“The biggest issue with the possible breach of private information from Superdrugcustomers is that this is another blow to our collective privacy. There is a laundry list of names of the biggest corporations in the world that have been dealt a collective knock down over the years whether it be Equifax, Anthem, Target, Heartland or eBay, to name a few.
“We know the list of companies suffering breaches where personal information of their customers was compromised is in the thousands. The reality is that the cost to gain information on consumers has plummeted and should be at the forefront of the debate.
“Today, every consumer should be working under the assumption that their personal information has been compromised many times over, and the latest Superdrug hack is a reminder that they should watch their identities and credit for abuses.”
Sanjay Ramnath, VP at AlienVault:
“From the information available, while 386 or so Superdrug customer accounts were compromised, there isn’t a whole lot of information on how the cyber-hackers actually obtained the usernames and passwords. I expect that we will learn more about this as they investigate the breach further. However, this underscores the attractiveness of the retail sector as a target for cyber-attacks.
“It is critical then for organizations within the retail sector to have strong threat detection and response systems in place so that any breaches or attempted breaches can be spotted quickly and the appropriate and timely response taken. Complimenting this with up-to-date threat intelligence data that can help identify emerging and popular threats against retailers. If compliance with industry standards like PCI and regulatory standards like GDPR are not found, then the consequences could be dire.
“For those affected, users should change their passwords or usernames not only on the site, but also anywhere else they may have used that particular password to ensure criminals don’t try to access other accounts.”
Ryan Wilk, Vice President at NuData Security:
“Although happily, payment data was not exposed, the personally identifiable information held hostage can easily fuel synthetic identity fraud and identity theft. With these types of fraud, personally identifiable information such as name, address, or date of birth are traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft.
“This is why retailers, along with eCommerce organisations, banks, and financial institutions are layering in multi-layered security strategies using passive biometrics and behavioural analytics. These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen.”
Andy Norton, Director of Threat Intelligence at Lastline:
“Whilst there is little detail in the communications to date, the hacker has clearly released a number of stolen records to Superdrug, to prove they have some portion of customer information. Superdrug have not stated the hackers demands but this could be the first case of attempted GDPR blackmail.”