Lush forced to close website after four-month compromise

News by Dan Raywood

Cosmetics retailer Lush has been forced to 'retire' its website after it was hacked.

Cosmetics retailer Lush has been forced to ‘retire' its website after it was hacked.

In a message on its website, Lush said that 24-hour security monitoring showed that it was still being targeted and there were continuing attempts to re-enter. A statement suggested that the website was first hacked on the 4th October 2010. Lush thanked customers who had placed orders in the time since then and told them to contact their bank in case their card details had been compromised.

Saying that it refuses ‘to put our customers at risk of another entry', the current domain would be closed and a new completely separate, temporary website will be launched in a few days that would initially take payments via PayPal.

It said: “Meanwhile we would be delighted to serve you in our shops or take your order at our Mail Order Phone Room. Both of which have not been affected by this crisis since their credit card terminals are directly linked to the banks only and are not internet-based. We would like to thank all our customers for standing shoulder to shoulder with us whilst we have shared being victims of this crime.”

It also had a message for the hacker, which said: “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job, were it not for the fact that your morals are clearly not compatible with ours or our customers.”

Jonathan Armstrong, partner at Duane Morris, said: “It seems to me this is a taste of things to come for businesses in the UK. The threats to websites are growing and at the same time the requirements on businesses to be honest with their customers is increasing too.

“In March we have new rules on online advertising and the Office of Fair Trading recently launched their campaign on online fairness. The Information Commissioner's Office has been more active as well in looking at how companies react to security breach. Whilst it is good of the soap maker to come clean with heightened transparency obligations, this was always likely to come out in the wash.”

Graham Cluley, senior technology consultant at Sophos, told SC Magazine that while he felt that Lush was being quite 'social media cool' about it, he felt that they could have done better by giving advice on what customers can look out for.

He said: "This is very serious, how many people have bought from Lush over Christmas? They are not going to go and talk to their bank so how do they know if there was a problem? The other thing is when did Lush find out about this and when did they take action? The UK site is down but there is always questions that need to be answered."

David Emm, senior security researcher at Kaspersky Lab UK, said: “Ever growing number of us bank, shop and socialise online, so it is essential that we all make sure we protect our computers including patching our systems and installing and updating Internet security software. However, security applies to all parties in an online transaction, so even if we protect our computers effectively, there is a chance that a security weakness on an online vendor's website might compromise our security.

“We would recommend that whenever you have reason to believe your online identity has been compromised, you should take action to limit the risk of financial loss. In a case like this, asking your bank to cancel your credit card and sending you a new one.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews