Hacked Lush site seems to have been ‘riddled with vulnerabilities’

Experts say that natural cosmetics company Lush’s ecommerce website seems to have been ‘riddled with vulnerabilities,’ and was ‘clearly… in breach of PCI DSS compliance.’ What does this mean for other online retailers? We consider the implications.

The security of online payment has been put under the spotlight with the news that the  [IRDX RLUS]  ecommerce website has been taken down following attacks by hackers. Experts say it seems the site was “riddled with vulnerabilities”.

The natural cosmetics company said in a statement on its site that some of its customers had experienced unauthorized use of their cards as a result of hacking, and it has advised all customers who ordered online with the site between October 4 and January 20 to check their bank statements and also contact their bank for advice since their card details may have been compromised. Some reports put the scale of money defrauded at several thousand pounds.

The statement said: “We hope we are erring very much on the side of caution. We would rather notify more customers than required than find out in retrospect we had narrowed it and missed people.”

It also says customers who may have been exposed to the breach were emailed on January 20.

An alternative, temporary, website, which will accept only PayPal payments, is to be launched in coming days.

In the meantime customers can contact the company on its mail order number, 01202 668545. The company says its mail order and shop systems have not been affected by the crisis, “since their credit card terminals are directly linked to the banks only and are not internet-based”.

A forensic investigation of the security breach has been commissioned and says Lush: “We will be studying the results with great care, to ensure we leave no stone unturned in our efforts to protect customers from events like this in the future.” The statement added: “We are so sorry for the worry and disruption that this has caused our customers.” The statement does go on, perhaps ill-advisedly, to praise the work of the hackers, saying: “To the hacker. If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”

Today several people affected by events had posted on the company’s Facebook page. Some were out of pocket while others had to cancel their bank cards. The retailer’s Twitter feed was also dominated by the subject. One follower said £1,185 had been taken from her credit card, probably as a result of the Lush hacking. However the retailer is also using the Twitter feed to engage with shoppers on the issue, praising the support it has got from members of its online communities.

Noa Bar-Yosef, senior security strategist at Imperva, said: “It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.”

He said it appeared that the attack “clearly shows that Lush was in breach of PCI DSS compliance,” – the regulations that bind etailers who accept Visa and Mastercard payments.

And, added Bar-Yosef, it seems its audit trail is not up to scratch since “a good audit trail should also provide concrete details regarding who was affected and when,” rather than leaving the website contacting those who might potentially have been affected.

Our view: Anyone who’s ever lost their credit or debit card will know that it’s something of a nuisance to have to order a new one. Most people who have ordered from Lush over the past four months will now be faced with this – leaving them potentially without a card or access to cash, for several days. Those who have been personally affected by hacker fraud will find it’s still more complicated to resolve. It’s a deep understatement to say that’s not what shoppers want when they turn to the convenience of online purchasing.

So this high-profile failure of Lush’s payment systems risks dealing a blow not only to that company and the reputation of its online store as a place to shop safely, but to ecommerce as a whole. For some consumers it will also raise doubts about the safety of paying online at all.

We predict this will serve to strengthen shoppers’ faith in the brands they really trust – whether retail or payment processing companies – will also raise doubts about shopping online with those that they believe may be less safe.

Certainly this should prompt internet retailers everywhere to take a good hard look at the safety of their systems – and flag up clearly on their website why theirs can be trusted. It’ll also be important to learn from the lessons that Lush takes from its forensic investigation – we trust they’ll be sharing those lessons in due course.

Mentioned in this piece…




Lush is a UK-based cosmetics company. (more…)

8 comments on “Hacked Lush site seems to have been ‘riddled with vulnerabilities’

  1. as100030 said:

    #Lush site hacked but handled the grave situation as gracefully as possible –

    This comment was originally posted onTwitter

  2. This breach should be embarrassing to Lush and any online retailer. The Payment Card Industry Data Security Standard is has been around for years, and it’s not terribly difficult to follow. In fact, some analysts are recommending using it as a base for a company’s security model (see Forrester’s PCI Unleashed paper, What this shows was that Lush was incredibly sloppy with their internal systems, since they did not follow the most basic of best practices.

  3. Ian Cushion said:

    Problems like this not only do potential long-term damage to a strong and successful brand, but are also completely avoidable. In this day and age, payment service providers have technology that will enable all merchants to successfully serve their customers without having to worry about storing card numbers themselves. Merchants can also do more to protect card details and should consider using tokenisation, an additional encryption capability that replaces sensitive data with unique identification symbols. The token can be accessed by the merchant for reporting and future purchases, but the credit card details remain secure at all times.

  4. adido said:

    Going on from our recent comment in the Bmth Echo – #fb

    This comment was originally posted onTwitter

  5. Joel said:

    What company handles Lush’s e-commerce website?


  6. Mike said:

    Need new digital agency and team!!!!

  7. digitaljes5 said:
  8. As the website has been taken offline, something was seriously wrong with it. It is doubtful Lush Cosmetics were in compliance with credit card scheme regulations at the time of breach and hopefully this sends a message to other online retailers – get your security acts cleaned up, or end up in the press.

Comments are closed.