Lush Cosmetics Data Breach
Lush Cosmetics, a handmade cosmetics company headquartered in Poole, Dorset in the United Kingdom with some 600 locations around the world, has ostensibly been the “victim of hackers” according to a post on their UK version web site http://www.lush.co.uk/ yesterday. Details are in somewhat short supply, but according to the notice posted, there was a successful initial intrusion and repeated subsequent attempts at re-entry.
A number of consumers of Lush products are reporting on the Lush Facebook page seeing similar fraudulent transactions (similar dollar amounts) in their bank accounts for items like prepaid phones, hotel bookings, and Xbox Live charges. With a handful of users reporting problems going back a couple of weeks, an important question emerges that is not yet answered: when did Lush first become aware of this problem?
Lush has indicated that only the UK version of their web site is affected and has advised any person that placed an online order between October 4th of last year and yesterday to contact their banks, indicating that credit card details have been compromised. Finally, in an unusual twist, they have elected to completely shutter the web site, opting to set up a temporary online shop that accepts PayPal payments. The front page of the site includes notes to both customers, and the hacker.
E-mail to Customers From Lush
We would like to draw your attention to the statement below, as we believe you placed an order with us during the affected period. We are keen for customers not to have their credit cards used fraudulently, so urge you to contact your bank.
Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.
For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.
Customer Notice The notice to customers posted on the Lush web site reads as follows:
Our website has been the victim of hackers.
24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter.
We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.
For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.
We Believe hacking is a serious crime which steals large amounts of money and disrupts the lives of cardholders.
We Believe that hacking erodes the trust between businesses and their customers and creates a climate of fear around online ordering.
We Believe in working with police and banks to do all we can to bring this branch of organised crime to justice.
A completely separate, temporary website will be launched in a few days - initially taking PayPal payments only.
Meanwhile we would be delighted to serve you in our shops or take your order at our Mail Order Phone Room. Both of which have not been affected by this crisis since their credit card terminals are directly linked to the banks only and are not internet based.
We would like to thank all our customers for standing shoulder to shoulder with us whilst we have shared being victims of this crime.
Dear Hacker... To the hacker they wrote the following:
TO THE HACKER If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.
Forensic Response An initial concern is that while Lush has taken time out to write a mission statement on data theft and chastise the “hacker”, really a cracker, they mention nowhere that they have hired a reputable computer forensics company to come in and assess the damage. They provide little actual detail of what actually happened, and beyond shuttering the web site communicate no plan to customers that demonstrates new controls being implemented to prevent or limit problems like this in the future.
PCI Perhaps also troubling is that credit card details are being reported as compromised with a company that is clearly affected by PCI DSS compliance, for whatever PCI is worth, who had previously implemented a point-to-point encryption solution for their card readers at retail locations in the UK. While this certainly does not directly affect the storage of credit card numbers by their web application, it demonstrates both an understanding of what is required to be PCI complaint, and an awareness of encryption solutions for protecting sensitive data.
Searching for additional discussion of security controls turns up little, unfortunately the “site security” section within their privacy policy for the U.S. version web site appears dated, discussing only the use of SSL in web transactions, and no indication of further protections beyond using a “secure server”:
We use appropriate security safeguards to protect your personal information against loss, theft, and unauthorized access. Any personal information you provide to LUSH is exchanged on a secure server. We use an advanced security system, the Secure Sockets Layer (SSL) protocol, to encrypt, or encode, information you send to us in the order process. The encryption process protects information, such as your credit card number, and billing and shipping information by scrambling it before it is sent from your computer. Only once we receive your information is it decoded, and we make all reasonable efforts to ensure its security on our own systems. - Lush Privacy Policy
Finally...Muppets The final thing they did, which I’ve never quite seen before, is they linked to a video of a singing Muppet lemming “turning frowns upside down” to share a smile and cheer themselves up. Customer reaction appears mixed, with some customers indicating problems while others seem to support the company’s handling of the data breach. But this breach does look like it will have an impact to the cosmetic company's bottom line, in the words of one angry consumer on Facebook: "What a nightmare and I am very very annoyed at this and will no longer be shopping with lush ever again as we entrusted our details and they were not kept secure."
The Lush UK web site as it appeared yesterday.