Lush customers concerned about hackers getting their details

The website of cosmetics company Lush has been hacked several times in the past three months, leading to possible credit card fraud. Customers affected are those who ordered online between 4 October 2010 and 20 January 2011. The company emailed the following to customers on Thursday, urging them to contact their banks – “Our website has been the victim of hackers. Twenty-four-hour security monitoring has shown us that we are still being targeted, and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry — so have decided to completely retire this version of our website.”

Lush did not release many details of the attacks; however, postings on the Lush Facebook page indicate that some customers have been victims of fraud. Lush is launching a “thorough investigation”, working with the police and its credit-card acquirer, and adding security measures. Lush only took down its UK website in January after a further hacking attempt; however, Lush initially discovered the problem in late December.

Lush has a temporary UK website until its new version launches shortly. Initially, users can only make payments via PayPal. On its temporary website, Lush posted a video of toy lemmings, telling users to “click on the video to try and share a smile”. There is also a message – “To the hacker: If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”

Security researcher Graham Cluley of Sophos wrote in a blog on Friday, “Was the customer credit-card information not encrypted? If it had been strongly encrypted, then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.”