The website of cosmetics company Lush has been hacked several times in the past three months, leading to possible credit card fraud. Customers affected are those who ordered online between 4 October 2010 and 20 January 2011. The company emailed the following to customers on Thursday, urging them to contact their banks – “Our website has been the victim of hackers. Twenty-four-hour security monitoring has shown us that we are still being targeted, and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry — so have decided to completely retire this version of our website.”
Lush did not release many details of the attacks; however, postings on the Lush Facebook page indicate that some customers have been victims of fraud. Lush is launching a “thorough investigation”, working with the police and its credit-card acquirer, and adding security measures. Lush only took down its UK website in January after a further hacking attempt; however, Lush initially discovered the problem in late December.
Lush has a temporary UK website until its new version launches shortly. Initially, users can only make payments via PayPal. On its temporary website, Lush posted a video of toy lemmings, telling users to “click on the video to try and share a smile”. There is also a message – “To the hacker: If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”
Security researcher Graham Cluley of Sophos wrote in a blog on Friday, “Was the customer credit-card information not encrypted? If it had been strongly encrypted, then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.”