Lush Customers Compromised in Security Breach

Bob Styran, IT audit expert
January 24, 2011 /

Cosmetics firm Lush has confirmed in a one-webpage statement that its website has been under security breach by unknown cyber mobsters, costing money from its customers whose credit cards were accessed in the hacking.

“[Twenty-four] hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website,” Lush said in its advisory statement.

Online shopping into its website was immediately suspended January 21 following complaints from customers on its Facebook page of the security breach, saying their money was fraudulently used by unknown individuals for four months. Others sought compensation from Lush for their losses.

Lush advised its customers who placed online orders between October 4, 2010 until January 20, 2011 to send communications to their banks to ask assistance for their compromised credit cards.

The security breach has serious impacts “and the effect on the trust that Lush were able to place in their online store were so serious that the entire Lush website has currently been taken offline and replaced with a single page offering limited details of the attack,” security expert Rik Ferguson from Trend Micro wrote in his security blog.

Ferguson went on, “I was initially alerted to the attack by one of my own friends whose card, along with her husband’s, have subsequently been used to make fraudulent purchases totalling almost £6000 from well-known online retailers.”

Ethical director at Lush Hilary Jones said the security breach was discovered when hackers were found penetrating the security of the company on December, during which it slowed down its trading while an investigation was carried out. Jones said the security breach was aimed at small purchases made by its European customers, which the cyber mobsters allegedly used as indicator if a hacked credit card is still active.

“All customers potentially exposed to this breach were sent an email on 20 January 2011,” Lush said. A new website for online shopping is set to be mounted soon, but will accept payments only through PayPal.

“A full external Forensic Investigation of the security breach has been commissioned. We will be studying the results with great care, to ensure that we leave no stone unturned in our efforts to protect customers from events like this in the future,” Lush told its customers.

 

Share your opinion