Attacks on Lush website expose credit-card details

Customers say they have become victims of fraud after the cosmetic company's UK website was hit by repeated hacking attacks over the last three months
Written by ZDNet Staff, Contributor

Cosmetics company Lush has warned customers that its UK website has been hacked repeatedly over the past three months, exposing credit-card details to fraudulent use.

Lush website hack

The website of cosmetics retailer Lush has been hacked repeatedly over the last three months. Photo credit: Kake Pugh on Flickr

Lush did not release technical details of the attack, nor specify the number of customers compromised or the security techniques used to handle the data involved, but anecdotal evidence indicates that some customers have been the victims of fraud.

The company sent an email statement to customers on Thursday outlining the incident and urging them to contact their banks.

"Our website has been the victim of hackers," Lush said in the email. "Twenty-four-hour security monitoring has shown us that we are still being targeted, and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry — so have decided to completely retire this version of our website."

Lush said it is preparing another version of its UK website to replace the one it has taken offline. The new version will launch within a few days and will initially only accept payments via PayPal, it added.

The incident affected customers who placed online orders between 4 October, 2010 and 20 January, 2011, according to Lush. Orders placed in Lush's shops or via telephone are not affected.

Some security experts have questioned Lush's timing in notifying customers of the breach. The company has acknowledged that it discovered the issue in late December, yet affected transactions include ones placed in January.

In a statement, the cosmetics company said that it had responded to the breach by starting a "thorough investigation" and putting in place "extra security measures". However, it was only when security monitoring showed the latest hacking attempt that Lush took down its UK website and notified customers, according to the statement.

Lush added that it is working with the police and its credit-card acquirer to carry out a full investigation into the hacking.

Credit-card information

The company's response raises more questions than it answers, according to security researcher Graham Cluley of Sophos.

"Was the customer credit-card information not encrypted?" he wrote in a blog post on Friday. "If it had been strongly encrypted, then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud."

My card details were used fraudulently, and I had the hassle of needing a new card and no access to my money
– Lush customer

Writing on Lush's Facebook page, several customers confirmed their details had been abused.

"My card details were used fraudulently, and I had the hassle of needing a new card and no access to my money," wrote a user identifying herself as Jane Sendall on Friday. "It would have been nice to have been warned earlier."

Another user, identifying herself as Kerry Aldam, wrote on Friday that a purchase in October had resulted in an incident of fraud within "the last few days".

On its temporary UK website, Lush posted a video of toy lemmings playing music, alongside a note urging users to "click on the video to try and share a smile". The temporary site also addressed a message to those responsible for the attack.

"To the hacker: If you are reading this, our web team would like to say that your talents are formidable," the note read. "We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards