Cosmetics firm Lush shuts Web site after hack attack

Cosmetics firm Lush shuts Web site after hack attack

Cosmetics firm Lush has shut down its UK Web site in the wake of an attack by hackers that has put the payment card details of customers at risk.

In a statement on its site, the company says all customers that placed online orders between 4 October and today are at risk and should contact their banks for advice.

Security monitoring shows the site is still being targeted, prompting Lush to completely retire the site. A new one will be launched in a few days, initially taking PayPal payments only.

The risk that the stolen details are being used by crooks is significant according to Rik Ferguson from security outfit Trend Micro. In a blog he says he was alerted to the attack by a friend, whose card, along with her husband's, has been used to make fraudulent online purchases worth around £6000.

Meanwhile, Lush has addressed the hacker on its site, saying: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers."

Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 January, 2011, 08:48Be the first to give this comment the thumbs up 0 likes

Since this kind of thing seems to be happening rather regularly, LUSH shouldn't be held singularly at fault. At the same time, e-tailers can't afford to get blase about this issue. Due to no fault of its customers - other than to place their trust on LUSH to keep their financial information safe - LUSH is putting its customers to a lot of trouble by asking customers to contact their banks for advice.

Even as the customers have to bear the anxiety, can't LUSH at least spare them the effort by taking this up collectively on behalf of all affected customers with the respective banks?


Keith Appleyard
Keith Appleyard - available for hire - Bromley 24 January, 2011, 10:57Be the first to give this comment the thumbs up 0 likes

Reading various other reports, it does seem as if LUSH were rather laid back in watching this happen for a good few weeks/months rather than interceding immediately.

Also they appear to be in breach of PCI-DSS if the Cardnumbers weren't encrypted?

A Finextra member
A Finextra member 25 January, 2011, 14:57Be the first to give this comment the thumbs up 0 likes

From all reports it would indicate that the e-Commerce entity may have had a particularly laissez-faire attitude towards Information Security - the fact that there were multiple vulnerabilities and that the e-Commerce section of the site had to be completely taken down are quite telling of the situation.


One has to question how the Merchant Acquirer failed to identify potential issues as part of the Merchant Audit required as per PCI:DSS - assuming it was audited by qualified Certified Security Assessors.