Lush: Online Security Breach

After recently having its UK website hacked, hand-made costmetics retailer, Lush has announced that its Australian and New Zealand websites have also been the target of hackers and been possibly compromised.

Power Retail - Lush Website
Lush has been forced to close it's Australian and New Zealand website, after being targeted by hackers.

The company’s UK website, which was hacked on 20 January, advised that consumers who had purchased products from the website between the ‘4th of October 2010 and 20th January 2011’ should contact their banks and monitor their accounts closely.

The Australian website, which has now been closed down, advised customers:

“We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by hackers. We urgently advise customers who have placed an online order with Lush Australian and New Zealand to contact their bank to discuss if canceling their credit cards is advisable.”

Expert Opinion

John Debrincat, CEO of eCorner, says:

“Security in online stores is getting tougher which is why it is important to use credible payment providers like PayPal or eWAY.

“Online thieves can get pretty sophisticated in their methods of attack and it is a constant battle to keep security up. PCI Compliance is being used by the card providers and banks more as a threat than as a tool. In many ways it is just too hard for small to mid size retailers.

“The first reaction is to blame the store, but of course it is the thief (they are not hackers) that stole the information and therefore the money. The very first thing we should all do is stop calling them ‘hackers’ and start calling them ‘criminals’. In Australia there have been a few attempts to update and improve the Cyber Crime Act but it still does not have a lot of teeth. Both state and federal police struggle to understand how to handle an incident like this.”

Phil Grech, Managing Director, Fourfires Solutions, says:

“How this happens in this day and age, is unfathomable. While undoubtedly they are using some sort of  third-party payment gateway to process purchases they appeared to be storing the actual credit card numbers on their own server’s that had limited security and one can’t help but wonder if they were PCI-DSS compliant.

“If the above is in fact correct, then this is a great example of not hiring a qualified and experienced e-commerce professional to manage your channel. Why retailers choose to store credit card data when third-party solutions are not only PCI -DSS compliant, but more cost effective is unbelievable.

“The greatest loss, especially online, is that they have lost the trust of their most prized asset, their customers and under these circumstances it will be extremely difficult get it back.”

Today’s news that thousands of online shoppers purchasing goods from popular cosmetics group Lush may have had their personal details, including credit card numbers, compromised sends a strong message to Australia’s online retail industry about the security of customers personal data.

Frerk-Malte Feller, Managing Director, PayPal Australia, says:

“The rise in consumer shopping online must not be taken lightly and security around payments is still a major concern for consumers. Indeed, recent PayPal research* shows that risk of fraud and providing payment details are still some of the biggest barriers to online shopping, with 40% of Australians worried about these issues.

“Operating an online store has wide ranging benefits to Australian retailers, both large and small – from reaching new customers both at home and overseas to decreasing operating costs. Whilst these benefits are great, making the move online should be well planned and security should sit at the heart of any online strategy.

“The loss of consumers personal data as a result of the unfortunate breach in security, highlights a need for stringent payment solutions and a partnership between industry and retailers in assuring a robust and secure system is in place, with no exceptions. Whilst eCommerce is booming, consumer safety will always remain a key issue.”

Customer Response

Power Retail - Lush Facebook
Comments from the Lush Facebook page show concern and outrage from customers.

As reported by Mashable, comments on Lush’s UK Facebook page indicated that, ‘several customers detailed purchases made using their stolen credit card information. While others expressed anger over the length of time that Lush waited after discovering that hackers had penetrated the site on Christmas Day.’

There has already been a response on the company’s Australian Facebook page, with Kate Cant commenting:

“Idiots. What made you say it was safe months ago if it wasn’t and how long has this been actually known? You people seem to learn nothing when something goes wrong, home or abroad.”

Does this comment ring true? If Lush knew its websites were being targeted abroad, should the alarm bells should have been ringing in its other markets? Whatever the case may be, it brings to the forefront the issue of security and protection of data during the e-commerce process.

Lush were contacted for further comment, however no response was received at the time of publication.

*The Leading Edge Research as included in eCommerce: Secure Insight, Nov 2010

One thought on “Lush: Online Security Breach

  1. Don’t blame the victim blame the perpetrator. Lush is a victim just as are the card holders who had money charged against their cards. The card holders will get the money back but Lush may not get their trust back anytime soon. You also cannot just assume that they stored card data and it was stolen. We all install security systems, locks, window bars and so on on our homes and offices. But break-ins still occur, criminals find ways. So when that happens do we say “you idiot, you didn’t have the latest and greatest security systems or locks…” no we do not. Online retailers have to be diligent as do the service providers but the blame rests with the criminals. Credit card usage is safe online and there is a low risk of fraud but it does happen.



Leave a Reply

Your email address will not be published. Required fields are marked *

PowerRetail Extra Enewsletter