NSW Police is investigating the theft of an unknown number of credit card details from cosmetics retailer Lush after its Australian and New Zealand websites were cracked overnight.
The attack follows a breach of the Lush UK website in which criminals stole credit cards between 4 October last year and 20 January 2011 and used them for fraudulent purchases. The overseas website is still offline after nearly a month. It plans to post a revamped site.
Lush Australia said customers who have made purchases through its website should contact their banks immediately and possibly cancel their credit cards.
"We are sorry to have to announce that the Lush Australia and New Zealand websites have been hacked. We have been alerted to advise us that entry has been gained and customer details have have been obtained by the hackers," the company said in a written statement.
"We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.
"Lush is working with the police, forensic investigators and banks and doing all that we can to investigate the breach in privacy."
The company said the UK and local websites are not linked, but did not confirm if the two use the same hosting software, which could expose both to the same vulnerabilities.
Unlike the UK arm, Lush Australia said it had reacted immediately to the breach to inform affected customers via email.