Cosmetics company Lush has admitted it was aware its UK website had been hacked several weeks before it made the decision to inform customers of the intrusion.
Lush on Thursday sent an email to customers warning them that its UK website had been hacked repeatedly between 4 October, 2010 and 20 January, 2011. Users who had made purchases via the site during that period were at risk, Lush said in the email.
Lush’s delay in reporting the hack will increase pressure for mandatory notification of breaches which the Information Commissioner’s Office has been pushing for, and which is already required in the US. The hack follows a similar pattern to breaches on Gawker, and a large theft of online CVs from the Guardian.
According to anecdotal evidence, such as comments on Lush’s Facebook page and comments by a Trend Micro security researcher, a significant amount of cash has in fact been lost due to the fraudulent use of cards belonging to Lush customers.
Lush ethical director Hilary Jones confirmed that the company became aware it had been attacked on Christmas day, according to a report from the BBC.
The site was taken down at that time while Lush investigated whether the attack had compromised customer card data, Jones said. Customers began to report small fraudulent purchase made using cards that had been used on Lush and other online shops, according to Jones.
Once it became clear that the fraudulent purchases indicated card data had been stolen from Lush, the company decided to inform customers and “retire” its UK website, Jones said.
“As an ethical company we could not keep that information to ourselves,” Jones told the BBC. “We had to tell a huge raft of customers.”
She said the site was not necessarily vulnerable for the entire October to January period, but that this large window was a way of covering all possibilities.
Lush has not released technical details of the attack or disclosed the number of customers affected or whether the data involved was encrypted.
The UK version of the Lush website has been taken down while Lush prepares a separate version that will accept only PayPal payments.
“We are very sorry to confirm that our website has been the victim of hackers,” Lush said in a statement posted on its temporary website. “Twenty four-hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.”
Lush said it was working with its credit card acquirer and the police to investigate the hack.
Trend Micro solutions architect Rik Ferguson wrote in a blog post on Friday that he has had reports of large fraudulent purchases resulting from the attack.
“I was initially alerted to the attack by one of my own friends whose card, along with her husband’s have subsequently been used to make fraudulent purchases totalling almost £6,000 from well-known online retailers,” Ferguson wrote. “The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality.”
Several customers writing on Lush’s Facebook page also reported fraud, although some were sanguine about the incident.
“Has anyone actually had money stolen form their accounts since this all happened?” wrote a user identifying herself as Amy Rodgers on Sunday. “I have and I don’t hate Lush. I’m just glad they told me! My bank will deal with it and it isn’t the end of the world.”
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…