Superdrug has become the latest high street chain to be targeted by hackers holding customer data to ransom.
According to the store, hackers contacted them on Monday evening saying they had obtained details on approximately 20,000 customers.
So far, Superdrug has seen 386 of the accounts compromised.
A spokeswoman for the company said: “The hacker shared a number of details with us to try and ‘prove’ he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.”
Superdrug said customers’ names, addresses and in some cases dates of birth, phone number and points balances may have been accessed but no payment or card information had been taken.
Customers who may have had their data harvested received an email and were asked to change their passwords, and to change them regularly in the future.
The email read: “We have contacted the Police and Action Fraud (the UK’s national fraud and cyber crime arm) and will be offering them all the information they need for their investigation as we continue to take the responsibility of safeguarding our customers’ data incredibly seriously.”
Superdrug tweeted on Tuesday: “To customers who have received an email from us today, this email is genuine. We recommend you follow the steps outlined.”
One angry customer tweeted: “Not even an apology. Your responsibility to keep our information safe. Disappointed.”
Another said: “What a cagey and cryptic tweet, something you’re embarrassed to talk about?”
Last year, retailer Dixons Carphone, which owns a number of electrical and tech brands including Currys and PC World, was subject to one of the biggest data breaches in history.
Around 10 million records containing personal data were accessed.
In 2015, mobile network TalkTalk was targeted by hackers who exploited a flaw in the company’s website, resulting in 157,000 records being accessed.