With the recent news that Superdrug has been hacked, exposing 200,000 customers’ details, Dr Guy Bunker, SVP of Products at data security company, Clearswift, looks into the statement made by the health and beauty retailer.
Dr Guy Bunker, SVP of Products at Clearswift:
“The first thing to consider as a consequence of this breach is GDPR. Only time will tell but we may see Superdrug fined because of the hack.
“The second is whether the proposed method of the attack – with the attackers finding other ways of obtaining usernames and passwords from somewhere else and then using those to brute force an attack on the Superdrug site – was actually used. Now, Superdrug is claiming that this approach may well be what has been used, in which case it wasn’t them who lost the information, and so implying they are not to blame in any way. Therefore, shouldn’t be fined under GDPR or any other compliance case.
“If the latter is true, brute force based on found credentials, then this type of attack will become increasingly commonplace, and the onus goes back on customers to look after their credentials and not to use the same passwords for multiple sites.
“In this case, by going public Superdrug evidently isn’t paying those who are trying to blackmail them and, by bringing to light the method by which the customer data was obtain, is also showing how it will be difficult for legislators to prove where data might have come from in case of a GDPR claim.”