Lush Admits Delay In Reporting Site Hack

Lush delayed notifying customers of its website hack for nearly a month while it conducted an investigation

Cosmetics company Lush has admitted it was aware its UK website had been hacked several weeks before it made the decision to inform customers of the intrusion.

Lush on Thursday sent an email to customers warning them that its UK website had been hacked repeatedly between 4 October, 2010 and 20 January, 2011. Users who had made purchases via the site during that period were at risk, Lush said in the email.

Lush’s delay in reporting the hack will increase pressure for mandatory notification of breaches which the  Information Commissioner’s Office has been pushing for, and which is already required in the US. The hack follows a similar pattern to breaches on Gawker, and a large theft of online CVs from the Guardian.

Fraudulent purchases

According to anecdotal evidence, such as comments on Lush’s Facebook page and comments by a Trend Micro security researcher, a significant amount of cash has in fact been lost due to the fraudulent use of cards belonging to Lush customers.

Lush ethical director Hilary Jones confirmed that the company became aware it had been attacked on Christmas day, according to a report from the BBC.

The site was taken down at that time while Lush investigated whether the attack had compromised customer card data, Jones said. Customers began to report small fraudulent purchase made using cards that had been used on Lush and other online shops, according to Jones.

Once it became clear that the fraudulent purchases indicated card data had been stolen from Lush, the company decided to inform customers and “retire” its UK website, Jones said.

“As an ethical company we could not keep that information to ourselves,” Jones told the BBC. “We had to tell a huge raft of customers.”

She said the site was not necessarily vulnerable for the entire October to January period, but that this large window was a way of covering all possibilities.

Lush has not released technical details of the attack or disclosed the number of customers affected or whether the data involved was encrypted.

The UK version of the Lush website has been taken down while Lush prepares a separate version that will accept only PayPal payments.

Investigation

“We are very sorry to confirm that our website has been the victim of hackers,” Lush said in a statement posted on its temporary website. “Twenty four-hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.”

Lush said it was working with its credit card acquirer and the police to investigate the hack.

Trend Micro solutions architect Rik Ferguson wrote in a blog post on Friday that he has had reports of large fraudulent purchases resulting from the attack.

“I was initially alerted to the attack by one of my own friends whose card, along with her husband’s have subsequently been used to make fraudulent purchases totalling almost £6,000 from well-known online retailers,” Ferguson wrote. “The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality.”

Several customers writing on Lush’s Facebook page also reported fraud, although some were sanguine about the incident.

“Has anyone actually had money stolen form their accounts since this all happened?” wrote a user identifying herself as Amy Rodgers on Sunday. “I have and I don’t hate Lush. I’m just glad they told me! My bank will deal with it and it isn’t the end of the world.”