Weekly Podcast: Superdrug, Facebook and Twitter, and the ICO

In this week’s podcast, we discuss the data incident at Superdrug, Facebook and Twitter removing accounts, and the ICO website being down.

Hello and welcome to the IT governance podcast for the 24th of August.

Our usual host is away for a couple of weeks, so I’ll be filling in.

Here are this week’s stories:

High-street retailer, Superdrug, suffered a data breach earlier this week. Reports claim that, the personal data of 20,000 individuals has been stolen. In an email sent to those affected, Superdrug said:

“On the evening of the 20th of August, we were contacted by hackers who claimed they have obtained a number of our customer’s online shopping information. There is no evidence that Superdrug systems have been compromised.”

The email continued “The hacker claims that they have obtained information on approximately 20,000 customers but we have only seen 386”.

The statement said –  it believed the criminals had retrieved customers’ email addresses and passwords from other websites and then used those credentials to access customer’s Superdrug accounts.

Information stolen included:

  • Names
  • Addresses
  • Dates of birth
  • Phone numbers
  • Point balances

Superdrug’s email suggests that customers log in and change their password now “and on an on-going, frequent basis”.

Many security professionals would call that bad advice. As most people are likely to have dozens of online accounts – getting into the habit of changing passwords every 6 months, means they are likely to quickly run out of ideas. In this instance people may resort to weaker passwords or using the same password across multiple accounts. If Superdrug wished to give password advice, they would have done better to encourage customers to use a password manager. Not that the onus of responsibility should entirely be placed on the customer.

Facebook and Twitter have suspended or removed accounts linked to Iran and Russia over “inauthentic” or “manipulating” behaviour.

Over 600 Facebook pages and groups have been identified as “misleading”, according to Mark Zuckerberg.

Twitter said it suspended 284 accounts with apparent links to Iran.

Facebook said in a statement: “We ban this kind of behaviour because we want people to be able to trust the connections they make”.

Although the investigation was still in progress, the social media network added, the campaign appeared to be targeting people across multiple internet services in the Middle East, Latin America, the UK and the US.

The Information Commissioners Office, the ICO, website has been down for at least 30 hours – without much of an explanation why. At the time of this recording, their website states:

“Due to a technical issue experienced by our website host Eduserv, the ICO website is currently unavailable. Our website hosts are continuing their work to restore the website.”

Roughly 24 hours after the site went down, the ICO added some contact details to the landing page giving information on how to contact them. This could imply that we should expect the site to remain down for some time.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.