Superdrug cyber attack: How will they handle it?
By Nicholas Jennings, CMO, Naoris
Unless there was serious malpractice or negligence, I don’t think we should be blaming Superdrug or burying them in shame. We understand that eventually everyone will be hacked. This is just a fact of modern life.
However, one thing that always interests me, is the handling of such events. Look, it’s a PR nightmare, let’s call a spade a spade. Thing is, most of the outrage over high profile attacks are derived from the public management, messages being sent to customers or lack thereof.
Superdrug has a pharmacy and potentially medical records. One’s health is often a private matter, as such, information of this nature is sensitive and no doubt in the wrong hands could be harmful to those affected. So it would be reasonable to imagine being a Superdrug customer and being concerned your medical records were out there, available for the consumption of the highest bidder.
Superdrug has so far released two posts on its Twitter page in the last 18 hours, the first rather cryptic:
“To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.”
It’s almost like a secret message, a private joke, or something you’d say to a primary school buddy, like “check under your seat, I’ve left you a bag of marbles”. Only with a more serious tone. One look at the post comments and it’s easy to see that customers are not happy, not one bit.
The second, a somewhat more adult statement outlining the initial understanding of the extent of the attack, an apology, a reiteration of their commitment to protecting customer data and a prompt for customers to change their passwords. To make matters worse, their systems are also experiencing difficulties with some customers unable to make the changes.
Superdrug is claiming names, addresses, phone numbers, D.O.B and points of some 386 customers had been compromised. Reports are suggesting, that number is allegedly more like 20,000 and that it was in fact a Ransomware attack. So as these things go, Superdrug is now, with the support of the Police and Action Fraud, investigating the extent of compromise. This investigation could lead to an array of findings and outcomes.
Unfortunately, cyber attacks do tend to lead to ‘trust issues’ between companies and customers. And in light of the GDPR piece, most folks are a bit more clued up about their privacy, data and rights. For some, we now realise our data is valuable.
For the longest time companies have been cryptic, at times dishonest, at times downright dodgy in their handling of data breaches. And this for good reason, these issues can wreak havoc on share prices and send shareholders into a tailspin. It would be almost understandable to be discreet. Here’s the problem with that approach.
It’s unethical — by law companies are required to inform customers when their data is compromised.
It makes customers feel insecure because they suspect they’re not getting the full story.
It creates panic if the full extent of the attack is not known, particularly when sensitive or financial information is at stake.
Nobody, except the business affected and authorities learn about the attack, in terms of the nature and vulnerability, meaning any lessons that can be learned are contained.
Attackers operate conversely, meaning for status and efficacy, they work in teams and networks, sharing information.
Attackers understand the value in collaboration, to be successful in their attacks. Businesses tend to keep all those nuggets of knowledge from the attack under wraps.
It makes sense to share intelligence about attacks. Cyber threats are advancing and evolving at rapid speed and its partly down to the fact that they collaborate. Individuals, businesses and governments need to be educated about the threat landscape. Way too often, a major breach makes the headlines, the company is shamed, maybe they’re fined, the share price plummets and we move on until it happens again.
Superdrug should at this time, be putting its customers minds at ease, explaining publicly the nature and the extent of the attack. I’m sure their teams and the authorities are working tirelessly to understand what’s happened. But, optically it’s not the best start for Superdrug’s management of the situation — however, it’s not too late. It’s the customers who have more to lose and it’s the responsibility, not only to those customers but society itself, to work together to minimise the frequency of these attacks in the future and it starts with talking about it, however vulnerable that may feel.