Analysis

The curious case of the Superdrug 'hack'

Earlier this week high street retailer Superdrug was contacted by a lone hacker claiming that they had stolen the personal information of up to 20,000 customers and demanded a ransom in exchange for the information. This included customers' names, addresses, and other personal details, but no payment or card information.

Scott Carey Aug 24th 2018
Superdrug-'hack'.jpg

Earlier this week high street retailer Superdrug was contacted by a lone hacker claiming that they had stolen the personal information of up to 20,000 customers and demanded a ransom in exchange for the information. This included customers' names, addresses, and other personal details, but no payment or card information.

"On Monday evening we were contacted by an individual who claimed they had obtained a number of our customers' online shopping information and was seeking a ransom from us," a spokesperson for Superdrug said.

No ransom was paid and when asked for evidence of the hack IT staff at the retailer received details from 386 accounts. 

However, early investigations suggested that these were not stolen from the retailer but were acquired in a separate hack.

This technique is known as credential stuffing, where stolen logins and passwords from one website are used to gain access to user accounts on another as a means of extorting money from the 'affected' organisation. This is usually done by using an off-the-shelf automation tool like Selenium, CURL or PhantomJS.

"For this sort of threat to work, the hacker will have bought a batch of stolen data and tested the log-in credentials of thousands of people against thousands of sites until they find ones that work," Bernd Koenig, director of security products at Akamai explained. "When they have a significant number of successful logins, they can then fabricate the appearance of a new breach to use as leverage in an attempt to extort money."

This sort of attack relies on users having the same passwords for multiple websites and services. So: say someone has their login and password stolen in the Carphone Warehouse breach and these are then purchased and utilised in a credential stuffing attack elsewhere, for example.

As the vendor of a bot-management product, naturally Koenig recommends this sort of solution as means of protection. "To protect themselves, organisations should employ tools that can accurately detect if a log in attempt is human or a bot through how quickly the credentials are entered or even how a device is held," he said.

"This type of attack is going to become more common as cybercriminals turn to increasingly sophisticated tools, so businesses must invest in new technologies, including solutions with AI based on machine learning algorithms, to protect themselves."

Disclosure

Superdrug soon disclosed this claim to customers, asking that they change their password and explaining: "We have contacted the Police and Action Fraud (the UK's national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers' data incredibly seriously."

This was also followed by a tweet which confirmed that the email sent is genuine and customers should follow the suggested steps of changing their password.

A spokesperson for Superdrug said: "We have worked with our independent IT security advisors who have confirmed that there have been no signs of a hack of our systems (for example, there has been no mass data download or extraction from our systems), they also confirmed that the 386 accounts that were shared by the individual as proof of the attack were accounts that had been obtained in previous hacks unrelated to Superdrug."

So why would Superdrug have to email users warning that their information is at risk if there is no evidence of a hack?

"Customers' names, addresses and, in some instances, date of birth, phone number and points balances may have been accessed. We have notified directly our customers whom we believe may have had their accounts accessed." (Emphasis added).

For its part, Superdrug appears to have reacted to this situation as well as can be expected: not paying the ransom, investigating the claims, informing potentially affected users and reporting the case to the authorities. The retailer says internal investigations are ongoing.

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK and Ireland said: "We should praise the speed in which they acted and communicated the breach, particularly as this highlights the growing need for businesses to be open and transparent with consumers and stakeholders when a suspected breach has taken place."

A spokesperson for the Information Commissioner's Office (ICO) said: "We have been made aware of a potential incident involving Superdrug and will be making enquiries."