Lush Cosmetics Data Breach

Lush Cosmetics Data Breach

Summary: Lush Cosmetics, a handmade cosmetics company headquartered in Poole, Dorset in the United Kingdom with some 600 locations around the world, has ostensibly been the “victim of hackers” according to a post on their UK version web site http://www.lush.co.uk/ yesterday.

SHARE:

Lush Cosmetics, a handmade cosmetics company headquartered in Poole, Dorset in the United Kingdom with some 600 locations around the world, has ostensibly been the “victim of hackers” according to a post on their UK version web site http://www.lush.co.uk/ yesterday. Details are in somewhat short supply, but according to the notice posted, there was a successful initial intrusion and repeated subsequent attempts at re-entry.

A number of consumers of Lush products are reporting on the Lush Facebook page seeing similar fraudulent transactions (similar dollar amounts) in their bank accounts for items like prepaid phones, hotel bookings, and Xbox Live charges. With a handful of users reporting problems going back a couple of weeks, an important question emerges that is not yet answered: when did Lush first become aware of this problem?

Lush has indicated that only the UK version of their web site is affected and has advised any person that placed an online order between October 4th of last year and yesterday to contact their banks, indicating that credit card details have been compromised. Finally, in an unusual twist, they have elected to completely shutter the web site, opting to set up a temporary online shop that accepts PayPal payments. The front page of the site includes notes to both customers, and the hacker.

E-mail to Customers From Lush

We would like to draw your attention to the statement below, as we believe you placed an order with us during the affected period. We are keen for customers not to have their credit cards used fraudulently, so urge you to contact your bank.

Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

Customer Notice The notice to customers posted on the Lush web site reads as follows:

Our website has been the victim of hackers.

24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter.

We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

We Believe hacking is a serious crime which steals large amounts of money and disrupts the lives of cardholders.

We Believe that hacking erodes the trust between businesses and their customers and creates a climate of fear around online ordering.

We Believe in working with police and banks to do all we can to bring this branch of organised crime to justice.

A completely separate, temporary website will be launched in a few days - initially taking PayPal payments only.

Meanwhile we would be delighted to serve you in our shops or take your order at our Mail Order Phone Room. Both of which have not been affected by this crisis since their credit card terminals are directly linked to the banks only and are not internet based.

We would like to thank all our customers for standing shoulder to shoulder with us whilst we have shared being victims of this crime.

Dear Hacker... To the hacker they wrote the following:

TO THE HACKER If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.

Forensic Response An initial concern is that while Lush has taken time out to write a mission statement on data theft and chastise the “hacker”, really a cracker, they mention nowhere that they have hired a reputable computer forensics company to come in and assess the damage. They provide little actual detail of what actually happened, and beyond shuttering the web site communicate no plan to customers that demonstrates new controls being implemented to prevent or limit problems like this in the future.

PCI Perhaps also troubling is that credit card details are being reported as compromised with a company that is clearly affected by PCI DSS compliance, for whatever PCI is worth, who had previously implemented a point-to-point encryption solution for their card readers at retail locations in the UK. While this certainly does not directly affect the storage of credit card numbers by their web application, it demonstrates both an understanding of what is required to be PCI complaint, and an awareness of encryption solutions for protecting sensitive data.

Searching for additional discussion of security controls turns up little, unfortunately the “site security” section within their privacy policy for the U.S. version web site appears dated, discussing only the use of SSL in web transactions, and no indication of further protections beyond using a “secure server”:

We use appropriate security safeguards to protect your personal information against loss, theft, and unauthorized access. Any personal information you provide to LUSH is exchanged on a secure server. We use an advanced security system, the Secure Sockets Layer (SSL) protocol, to encrypt, or encode, information you send to us in the order process. The encryption process protects information, such as your credit card number, and billing and shipping information by scrambling it before it is sent from your computer. Only once we receive your information is it decoded, and we make all reasonable efforts to ensure its security on our own systems. - Lush Privacy Policy

Finally...Muppets The final thing they did, which I’ve never quite seen before, is they linked to a video of a singing Muppet lemming “turning frowns upside down” to share a smile and cheer themselves up. Customer reaction appears mixed, with some customers indicating problems while others seem to support the company’s handling of the data breach. But this breach does look like it will have an impact to the cosmetic company's bottom line, in the words of one angry consumer on Facebook: "What a nightmare and I am very very annoyed at this and will no longer be shopping with lush ever again as we entrusted our details and they were not kept secure."

The Lush UK web site as it appeared yesterday.

The Lush UK web site as it appeared yesterday.

Topics: Banking, Browser, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • They addressed the Hacker?

    kind of odd...yeah, I can see how they could hope that statement would lure someone into coming forward about the attack...but, does that statement also establish a desire to prosecute (or lack thereof)?

    I can't see that happening on this side of the pond or else some lawyer would take that and run with it:

    "Your Honor, my client can not be prosecuted ...the defendant announced publicly that it was all but ready to offer my client a job."
    SonofaSailor
  • How will this affect my credit rating?

    Lush is trying to shift the responsibility to the customer. In the past, I have reported to my bank that my credit card might be compromised. But, that is because of my mistake using similar password on many sites. So, I am prepared to take credit rating hit by reporting this.<br>However, if it is the e-commerce website lapses on security, I believe they should report this incident to VISA/Mastercard that will eventually contact the banks.
    sidic
    • RE: Lush Cosmetics Data Breach

      @sidic

      Huh? Why would your credit rating be affected?
      aep528
      • RE: Lush Cosmetics Data Breach

        @aep528
        I am not trying to spread FUD. I hope, "reporting potential fraud over my credit card to my back as precaution" will not affect my credit rating. I hope that is true, because it is fault of the website and the cracker. It is not my fault.
        sidic
  • Lush Uk Fault

    It's Lush UK Fault they had not update their software of ecommerce Virtuemart see an article with my help http://bit.ly/fUzJSU
    Make your own opinion...
    Pierrafeu
    • RE: Lush Cosmetics Data Breach

      @Pierrafeu
      I hate SQL injection.
      sidic
  • YAWN

    Not concerned.
    james347
    • RE: Lush Cosmetics Data Breach

      @james347 Assuming you don't wear makeup then.
      Prefect23
  • RE: Lush Cosmetics Data Breach

    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam
    myclub
  • RE: Lush Cosmetics Data Breach

    Mt2 turk MMO PvP game download online game servers
    <a href="http://www.metin2oyunu.org" title="metin2" target="_blank">metin2</a> - <a href="http://www.metin2oyunu.org/indir" title="metin2 indir" target="_blank">metin2 indir</a> - <a href="http://www.metin2oyunu.org/hileler" title="metin2 hile" target="_blank">metin2 hile</a> - <a href="http://www.metin2oyunu.org/gm-komutlari" title="metin2 gm komutlari" target="_blank">metin2 gm komutlari</a> - <a href="http://www.metin2oyunu.org/category/metin2-at-gorevleri" title="metin2 at gorevleri" target="_blank">metin2 at gorevleri</a>
    MMO online games, game related content turk mt2 pvp servers
    <a href="http://www.metin2pvpserver.net" title="metin 2" target="_blank">metin 2</a> - <a href="http://www.metin2pvpserver.net" title="pvp" target="_blank">pvp</a> - <a href="http://www.metin2pvpserver.net" title="server" target="_blank">server</a> - <a href="http://www.metin2pvpserver.net/knight" title="knight" target="_blank">knight</a>
    Mt2 turk MMO PvP game servers online
    <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererler" target="_blank">metin2 pvp sererler</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverlar" target="_blank">serverlar</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverler" target="_blank">pvp serverler</a> - <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererlar" target="_blank">metin2 pvp sererlar</a> - <a href="http://www.metin2pvpserverlar.com/pvp-kenti" title="pvp kenti" target="_blank">pvp kenti</a>

    download http://www.metin2oyunu.org game servers online http://www.metin2pvpserver.net turk mt2 pvp servers http://www.metin2pvpserverlar.com
    <a href="http://www.metin2turkiye.net" title="mt2" target="_blank">mt2</a>
    <a href="http://www.metin2turkiye.net" title="metin2 turk" target="_blank">metin2 turk</a>
    <a href="http://www.metin2turkiye.net" title="mt2 turk" target="_blank">mt2 turk</a>
    <a href="http://www.metin2turkiye.net" title="metin2 tr" target="_blank">metin2 tr</a>
    <a href="http://www.metin2oyunu.org/indir" title="metin 2" target="_blank">Metin 2</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2 indir" target="_blank">alemt2 indir</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2 kaydol" target="_blank">alemt2 kaydol</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2" target="_blank">alemt2</a>
    <a href="http://www.metin2oyunu.org/tag/fancy-mt2-kaydol" title="alemt2 kaydol" target="_blank">fancymt2 kaydol</a>
    <a href="http://www.metin2oyunu.org/tag/fancy-mt2" title="alemt2 kaydol" target="_blank">fancy mt2</a>
    <a href="http://www.metin2oyunu.org/tag/mt2-pvp" title="mt2 pvp" target="_blank">mt2 pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2 pvp" target="_blank">metin2 pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2 pvp" target="_blank">metin2 pvp serverler</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="pvp" target="_blank">pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2" target="_blank">metin2</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="serverler" target="_blank">serverler</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="serverler" target="_blank">serverler</a>

    <a href="http://www.metin2pvpserver.net" title="metin2pvpserver" target="_blank">metin2pvpserver</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 pvp server" target="_blank">metin2 pvp server</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 pvpserver" target="_blank">metin2 pvpserver</a>
    <a href="http://www.metin2pvpserver.net" title="metin2pvp server" target="_blank">metin2pvp server</a>
    <a href="http://www.metin2pvpserver.net" title="metin2pvp" target="_blank">metin2pvp</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 server" target="_blank">metin2 server</a>


    <a href="http://www.metin2pvpserverlar.com" title="metin2pvpserverlar" target="_blank">metin2pvpserverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp serverlar" target="_blank">metin2 pvp serverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2pvp serverlar" target="_blank">metin2pvp serverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2 serverlar" target="_blank">metin2 serverlar</a>

    <a href="http://www.faceara.com" title="face" target="_blank">face</a>
    <a href="http://www.faceara.com" title="facebook" target="_blank">facebook</a>
    zafer12
    • RE: Lush Cosmetics Data Breach

      You get past the Lush Cosmetics
      http://m2oyna.com http://pvp-serverlar.in
      Metin2