Payment cards: bad smell at Lush cosmetics
An announcement on the Lush cosmetics website published just three days before Valentines' Day admits to a breach in the security systems relating to on-line sales. But is it too little, too late.
Lush (a large company operating in many markets worldwide) promotes its products as "fresh handmade cosmetics." It also sells over the internet. The company's UK website at www.lush.co.uk admits to "an announcement on 20 January that our website had been hacked."
But it appears from the 11 February announcement that the problem may have been outstanding for much longer the company has e-mailed all customers who placed web orders between 4 October 2010 and 20 January 2011 to "contact their banks and monitor their accounts closely." It admits that "some of our customers have had to go through the experience of having their credit cards used fraudulently.
The company has closed its website and how has a landing page only and says that the data that was compromised related only to web purchases, not those made in shops or by phone. But it also says that a "team of forensic experts" is still trying to find the extent of the problem.
There are 40 websites covering 39 countries (Canada is in both English and French) .
The New Zealand and Australian sites carry similar messages. in that case, they say that the Australian and New Zealand sites are "not connected to the UK site which was recently compromised" but then goes onto say "it appears that the Lush Australia and New Zealand sites have also been targeted. The company says that its web host informed it of suspicious activity at 10:30 on 14 February and that the website was shut down 13 hours after that notification.
The Ireland website carries a message to tell visitors to visit the UK website.
Other websites are operating normally but it is not clear whether they are built to the same specification as those that have already been hacked.
Download PDF version of this page