Superdrug hacking episode signals need to move to “passwordless” society

Copyright: Superdrug

Copyright: Superdrug

Following the recent hacking episode suffered by Superdrug, Jesper Frederiksen (head of the EMEA region at identity management specialist Okta) has argued the incident shows that, despite living in the era of the requirement for General Data Protection Regulation (GDPR), companies – and in particular retailers – are not doing enough to take data protection seriously. Frederiksen stresses that companies need to look beyond passwords and use a number of contextual factors such as device trust and IP geolocation.

“The hack on Superdrug highlights the archaic processes involved with password data breaches,” asserted Frederiksen. “While the retailer was quick to ask its consumers to change their passwords, how many consumers will take notice and actually do this before the information is already tapped into? According to Verizon’s 2017 Data Breach Investigation Report, 81% of hacking-related breaches are caused by compromised security credentials, showing that organisations must evolve from solely relying on passwords as a standalone form of protection.”

Frederiksen went on to state: “In the era of the GDPR, businesses of all sizes should be aware of the major financial and reputational damage involved with data breaches. This requires them to look at stronger ways in which to protect important information. In the near future, retailers may choose to scrap passwords altogether and go for a ‘passwordless’ society where user authentication is enabled based on a number of contextual factors such as device trust and IP geolocation. This would sit as part of a discrete identity system that removes any reliance on personal information, eradicating the value of such information to hackers and thus boosting safety in the process.”

In an e-mail sent out to the customer base on the evening of 21 August, Superdrug’s CEO Peter Macnab stated that the company had been contacted by a group of hackers on Monday 20 August. The hackers claimed they had accessed “a number of customers’ online shopping information”. Macnab said there’s no evidence of Superdrug’s systems having been compromised. The belief is that the hackers obtained customers’ e-mail addresses and passwords from other websites and then used those credentials to access accounts on the Superdrug website.  The hackers claimed that they’ve obtained information on approximately 20,000 customers.

Superdrug has reported that no customers’ payment card details have been accessed. The company has stated that it has informed the police as well as Action Fraud (the UK’s national fraud and cyber crime operation) about the issue.

Customers’ names, addresses and, in some instances, date of birth, phone number and points balances may have been accessed. In line with good security practice, Macnab and Superdrug are advising customers to change their Superdrug.com passwords and on an ongoing and frequent basis.

Lack of awareness

Also commenting on the incident, Andy Cory (identity management services lead at KCOM) observed: “A company can mandate all the passwords it wants, but it cannot force customers to keep them secret. While consumers value security, they often lack the awareness to know when they have compromised their own. Users must regularly update the passwords on all their commonly-used apps to make sure that their fail-safes are protected. They must also avoid the temptation to re-use passwords between services.”

He continued: “The key is to remember that security decays with time. The longer you go between password changes and identity checks, the more likely you are to suffer a breach. Consumers and companies alike need to conduct regular health checks and keep their security on its toes. While a customer’s security weakness doesn’t help, a weak authentication system is a company’s problem as well as its responsibility. If a business cannot provide easy access to its services or a secure sign-in process for its customers, it only has itself to blame when its users desert.”

In conclusion, Cory said: “Fortunately, there’s a way to achieve the best of both worlds. If customers grumble at sign-in procedures and cannot be depended on to keep their security information safe, then the process can and should be removed. This isn’t to recommend that identity access management be taken out of the equation. Only that the legwork is transferred from the customer to the business. Organisations need to make the process simple and time efficient for their customers.”

Potential fine

Dr Guy Bunker, senior vice-president of products at Clearswift, asserted: “The first thing to consider as a consequence of this breach is the GDPR. Only time will tell, but we may see Superdrug fined because of the hack. The second is whether the proposed method of the attack – with the attackers finding other ways of obtaining usernames and passwords from somewhere else and then using those to brute force an attack on the Superdrug site – was actually used. Now, Superdrug is claiming that this approach may well be what has been used, in which case it wasn’t them who lost the information, thereby implying they are not to blame in any way. Therefore, they’ll feel they shouldn’t be fined under the GDPR or any other compliance case.”

Bunker added: “If the latter is true, and the attack involved brute force based on found credentials, then this type of attack will become increasingly commonplace, and the onus falls back on customers to look after their credentials and not to use the same passwords for multiple sites. In this case, by going public, Superdrug evidently isn’t paying those who are trying to blackmail them and, by bringing to light the method by which the customer data was obtain, is also showing how it will be difficult for the legislators to prove where the data might have come from in the event of a GDPR claim.”

What was once safe is now vulnerable

Juliette Rizkallah, CMO at SailPoint, has commented: “Each new data breach confirms what we’ve suspected all along: what we once thought was safe is now vulnerable. The reality remains that it’s not ‘If’ but ‘When’ an organisation will be breached. As hackers find new entry points into the enterprise and are now leveraging new technologies, such as malicious bots, to their advantage, the risk to organisations and their sensitive data grows. Meanwhile, organisations are also facing the challenge of adapting to new compliance realities, including the GDPR, which aim to further regulate the flow of data in the enterprise.”

Rizkallah also informed Risk Xtra: “At the end of the day, defence is the best idea. It might be tempting to overlook the risks and postpone the implementation of vital protective technologies such as identity governance in the name of convenience and cost-cutting until a breach occurs. Our research shows that the average cost of dealing with a breach is almost £700,000 per company per breach. Weak passwords and stolen employee credentials are often a bait for cyber criminals. They enter through a weak ‘back door’ and stay in the system for 200 days, on average, until they access privileged accounts and strike ‘gold’ – a carte blanche to download sensitive files and information at will, often unnoticed. The financial and reputational costs of data breaches should be incentive enough for organisations to adopt a proactive mindset when it comes to governing identities and their access to sensitive data.”

Further, Rizkallah opined: “By implementing an identity governance platform that can adapt to regulatory changes and rapidly developing threats, organisations can protect not only their sensitive data, but also their brand’s reputation. Sometimes, the casualty of the breach isn’t the data leak itself, but the handling of the aftermath, which can make or break an organisation.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts