Lush pickings for credit thief as site hacked

Lush pickings for credit thief as site hacked

Summary: NSW Police is investigating the theft of an unknown number of credit card details from cosmetics retailer Lush after its Australian and New Zealand websites were cracked overnight.

SHARE:
2

NSW Police is investigating the theft of an unknown number of credit card details from cosmetics retailer Lush after its Australian and New Zealand websites were cracked overnight.

Red lips

(Red lips image by Tania Siaz, CC2.0)

The attack follows a breach of the Lush UK website in which criminals stole credit cards between 4 October last year and 20 January 2011 and used them for fraudulent purchases. The overseas website is still offline after nearly a month. It plans to post a revamped site.

Lush Australia said customers who have made purchases through its website should contact their banks immediately and possibly cancel their credit cards.

"We are sorry to have to announce that the Lush Australia and New Zealand websites have been hacked. We have been alerted to advise us that entry has been gained and customer details have have been obtained by the hackers," the company said in a written statement.

"We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

"Lush is working with the police, forensic investigators and banks and doing all that we can to investigate the breach in privacy."

The company said the UK and local websites are not linked, but did not confirm if the two use the same hosting software, which could expose both to the same vulnerabilities.

Unlike the UK arm, Lush Australia said it had reacted immediately to the breach to inform affected customers via email.

Topics: Security, Broadband, Browser

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • There's a PCI QSA out there about to get sued...
    no11
  • Why is this one so special? This happens all the time; sometimes (like this) the consumers get to know about it; sometime the breach is not made public to the consumers (by the merchant or by the banks), but most of the time even the merchants and banks dont know they've been fleeced until unauthorised purchases are made; and even then some arent picked up, even by the owner for cards themselves (mostly because of micro payments).

    One step in the right direction would be mandatory disclosure laws. The laws wouldnt protect people for these thieves, but it'd make people more aware of what is really happening every day make people more conscious of who they give their information to.
    anthonywr