Superdrug has warned its online customers to change their passwords after the company was contacted by hackers claiming to have accessed thousands of accounts.
The health and beauty retailer said the attackers claimed to have stolen the details of 20,000 customers although it had only seen evidence that 386 customers had been affected.
Among the stolen information were names, addresses, date of birth and phone numbers, but Superdrug stressed no credit card details had been accessed.
The chain believes there is “no evidence” to suggest its systems it had been hacked, claiming the criminals had got email addresses and passwords from other sites and used them to log into their Superdrug accounts.
After trying to prove that it had access to the accounts, the hacking group allegedly tried to extort a ransom.
In a statement posted on social media late Tuesday night, the company said: “We are very sorry for the inconvenience and concern this has caused.”
“We take our responsibility to protect your personal information very seriously and that is why we have let our customers know as soon as we could.”
It added: “We have contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and will be offering them all the information their need for their investigation.”
Superdrug is by no means the first big company to have customer account details hacked. Earlier this summer, Dixons Carphone Plc (LON:DC.) revealed that a 2017 cyber attack resulted in the details of 10mln customers being compromised.