Lush hack exposes security and reputation fears
Smelly soap and cosmetic retailer Lush is reeling this week a major security breach on its webshop.
Last week, the firm took its ecommerce website out offline, leaving a temporary page that explained, “We are sorry to confirm our website has been the victim of hackers.”
Lush warned customers who made online purchases between 4 October 2010 and 20 January 2011 that their card details may have been compromised and to contact their banks for advice.
With the site still being targeted by hackers, Lush decided to retire the current version of its website.
While security and data protection experts mulled over the mechanics of the hack, and Lush’s somewhat gormless response.
With 40 or more cards identified as having been used fraudulently, Sophos security expert Graham Cluley asked some of key questions: “It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach... And was the customer credit card information not encrypted? If it had been strongly encrypted then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.”
Phil Lieberman, president of identity management specialist Lieberman Software, called the episode a “potential brand destroyer” for Lush and pointed to outraged comments on the company’s Facebook page.
“I agree with consumers who say that the retailer’s response has been inadequate. The company should have responded earlier and with more appropriate action,” he said. As well as alienating large numbers of customers, Lush could face fines from the Information Commissioner’s Office and investigation under the Payment Card Industry’s security standards rules.