Superdrug has warned customers of a security incident which may have resulted in the exposure of personal data.
On Tuesday evening, the UK health and beauty retailer emailed customers and also revealed on Twitter that an event had occurred "which may have resulted in the possible disclosure of some customers' personal information."
Superdrug said that names, addresses, dates of birth, phone numbers, and point balances may have been compromised. However, it is not believed that any financial data has been put at risk.
The British pharmacy was contacted by an unknown threat actor who claimed to have stolen information belonging to 20,000 customers. In order to prove the data breach was genuine, the individual shared a number of details which Superdrug was able to verify.
TechRepublic: 8 steps to take within 48 hours of a data breach
So far, 386 accounts have been confirmed as compromised.
Superdrug said there is "no evidence" that internal systems have been compromised; instead, the company believes that repeat credentials used by customers on other websites were used to access Superdrug accounts.
The threat actor has attempted to secure a ransom payment, the company added.
The retailer has asked customers to change their passwords immediately, but there also appears to be a problem with the system as Superdrug has received reports that some clients are having trouble doing so.
"We appreciate this is very frustrating and we are doing everything we can on this," the company said. "We are very sorry for the inconvenience and concern this has caused."
The UK Action Fraud center has been notified of the data breach alongside law enforcement. An investigation is ongoing.
Superdrug may have fallen afoul of the new EU General Data Protection Regulation (GDPR) due to the issue.
The new legislation not only requires businesses in the bloc to report data breaches and security incidents in a timely manner but can also result in the imposition of heavy fines when adequate security measures are not in place -- but it will be up to regulators to decide if further action needs to be taken.
Superdrug is not the only well-known UK retailer to become a victim of a cyberattack in recent months.
In June, electronics giant Dixons Carphone said that its systems had been compromised, resulting in the exposure of 5.9 million customer payment card details and a further 1.2 million records containing personal information.