The security of online payment has been put under the spotlight with the news that the Lush.co.uk ecommerce website has been taken down following attacks by hackers. Experts say it seems the site was “riddled with vulnerabilities”.
The natural cosmetics company said in a statement on its site that some of its customers had experienced unauthorized use of their cards as a result of hacking, and it has advised all customers who ordered online with the site between October 4 and January 20 to check their bank statements and also contact their bank for advice since their card details may have been compromised. Some reports put the scale of money defrauded at several thousand pounds.
The statement said: “We hope we are erring very much on the side of caution. We would rather notify more customers than required than find out in retrospect we had narrowed it and missed people.”
It also says customers who may have been exposed to the breach were emailed on January 20.
An alternative, temporary, website, which will accept only PayPal payments, is to be launched in coming days.
In the meantime customers can contact the company on its mail order number, 01202 668545. The company says its mail order and shop systems have not been affected by the crisis, “since their credit card terminals are directly linked to the banks only and are not internet-based”.
A forensic investigation of the security breach has been commissioned and says Lush: “We will be studying the results with great care, to ensure we leave no stone unturned in our efforts to protect customers from events like this in the future.” The statement added: “We are so sorry for the worry and disruption that this has caused our customers.” The statement does go on, perhaps ill-advisedly, to praise the work of the hackers, saying: “To the hacker. If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”
Today several people affected by events had posted on the company’s Facebook page. Some were out of pocket while others had to cancel their bank cards. The retailer’s Twitter feed was also dominated by the subject. One follower said £1,185 had been taken from her credit card, probably as a result of the Lush hacking. However the retailer is also using the Twitter feed to engage with shoppers on the issue, praising the support it has got from members of its online communities.
Noa Bar-Yosef, senior security strategist at Imperva, said: “It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.”
He said it appeared that the attack “clearly shows that Lush was in breach of PCI DSS compliance,” – the regulations that bind etailers who accept Visa and Mastercard payments.
And, added Bar-Yosef, it seems its audit trail is not up to scratch since “a good audit trail should also provide concrete details regarding who was affected and when,” rather than leaving the website contacting those who might potentially have been affected.
Our view: Anyone who’s ever lost their credit or debit card will know that it’s something of a nuisance to have to order a new one. Most people who have ordered from Lush over the past four months will now be faced with this – leaving them potentially without a card or access to cash, for several days. Those who have been personally affected by hacker fraud will find it’s still more complicated to resolve. It’s a deep understatement to say that’s not what shoppers want when they turn to the convenience of online purchasing.
So this high-profile failure of Lush’s payment systems risks dealing a blow not only to that company and the reputation of its online store as a place to shop safely, but to ecommerce as a whole. For some consumers it will also raise doubts about the safety of paying online at all.
We predict this will serve to strengthen shoppers’ faith in the brands they really trust – whether retail or payment processing companies – will also raise doubts about shopping online with those that they believe may be less safe.
Certainly this should prompt internet retailers everywhere to take a good hard look at the safety of their systems – and flag up clearly on their website why theirs can be trusted. It’ll also be important to learn from the lessons that Lush takes from its forensic investigation – we trust they’ll be sharing those lessons in due course.