Lush customer details stolen by hackers

gallery

Lush, the UK-based cosmetics company, has fallen victim to hackers.

The firm revealed its website had been attacked when it emailed its customers, and later posted a notice online, but details of the hack itself have remained few and far between.

What is known is the hack affected customers who made purchases from the site between 4 October 2010 and 20 January 2011 and hackers are continuing to try and break into the site.

As a result, Lush shutdown the website entirely - bar a page explaining the attack - and set up a temporary online shop which accepts PayPal transactions.

“Our website has been the victim of hackers,” the online statement read. “24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter.”

“We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.”

The statement also included a note addressed to the hacker, which said: “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers.”

Rik Ferguson, senior security advisor for Trend Micro, said in a blog post: “For the most part shopping online is as safe as shopping in store, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores.”

He added: “If you feel you may have been affected, contact your bank immediately.”

Email to a friend

Print this page