We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

LUSH - Important News - UPDATED

Options
17810121318

Comments

  • 1984ReturnsForReal_2
    1984ReturnsForReal_2 Posts: 15,431 Forumite
    edited 21 January 2011 at 1:11PM
    Aidy wrote: »
    Unfortunately this is not new - TK Maxx were hit in 2007:

    http://news.bbc.co.uk/1/hi/business/6508983.stm

    45 million cards were potentially affected in the UK and US; although many were believed to be expired card numbers.

    Wi-Fi WAS involved, according to Wikipedia

    Details were stolen by hackers installing software via wi-fi in June 2005 that allowed them to access personal information on customers. The breach continued until January 2007.
    Eleven people from around the world were charged with the breach in 2008. Outside security provider Protegrity has estimated that T.K. Maxx's losses as a result of the data breach may reach £800 million in the years to come. The losses would come as a result of paying for credit checks and administrative costs for managing the fallout from the breach


    "According to the company this affected customers who used their card between January 2003 and June 2004 at any branch of T.K. Maxx"


    They broke (or found out from inside) the codes of the Wifi terminals at the shopping stores. Not online.
    Not Again
  • Simmysim
    Simmysim Posts: 1,176 Forumite
    "We are trying to cheer ourselves up, here is a funny vid to watch"

    Who is running that site a bunch of little girls :eek:
    :A
  • Former_MSE_Guy
    Former_MSE_Guy Posts: 1,650 Forumite
    I've been Money Tipped! Newshound! Chutzpah Haggler
    "Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen. ..."
    Read the full story:
    Fraud risk for thousands after Lush website hack
    OfficialStamp.gif
  • hallmark
    hallmark Posts: 1,463 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    yummy.scrummy.mummy wrote: »
    not "easy" to the ammateurs but if these people are confident enough to hack into a site such as lush and commit a crime this large, id say they were pretty confident in what they were doing and would be able to decrypt it without having too many problems.

    Sorry but you are wrong. And I do work in IT security & have for 20+ years. Unless you are using obsolete & weak encryption (which is as bad as using none) people will NOT be able do decrypt your data "without having too many problems". Real-life hackers are not like what you see on TV, they don't have magic powers, and they can be easily defended against if companies care enough to do so.
    zenseeker wrote: »
    There are ways to get into systems, steal details and close the door quietly behind you, such an attack would be undectable to a Malware scan (there isn't any) and would only come to light as complaints started coming in or someone notices something unusual going on in the systems, not always easy.

    Again, the above is only true if the systems are not protected adequately in the first place. Proper security measures will stop the above. And proper security measures will also stop "inside-jobs" FWIW, the companies I work for audit the actions of internal users nearly as closely as external threats.

    Lush clearly have inadequate security. The flippancy of their website comments to the "hacker" confirms that they are rather clueless as to the seriousness of the various issues involved.
  • toontron
    toontron Posts: 2,116 Forumite
    Simmysim wrote: »
    "We are trying to cheer ourselves up, here is a funny vid to watch"

    Who is running that site a bunch of little girls :eek:

    Yeah, my thoughts exactly, I'm not laughing, my card was one that was used, luckily my bank refunded the same day but it is still hassle waiting for a new card. Luckily I have other accounts, but hey, lets all have a giggle, I mean, I only spend about £75 a month with Lush.:mad:
    January GC: £64.81/£80.00
    February GC: £24.60£80.00
  • ladymisswolfe
    ladymisswolfe Posts: 104 Forumite
    Just discovered we've been hit too - a fraudulent £15 o2 transaction. Its only thanks to this thread and some dilligent web surfing that I worked out where it had come from. I reported in and stopped the card, but haven't been refunded yet until I complete the form being sent but I assume I will be.
    I am furioous with Lush - no email has been received as yet from them and having seen their website, I agree that it is flippant and silly. They should have had proper security in place. This is the first time it's happened to me and I shop online all the time. I will be writing to them and I personally think they should compensate anyone who has been affected.
  • debjay
    debjay Posts: 2,091 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    metoyoubear wrote: »
    Exactly,you can't even take them off Play,you have to change the details and then they email you saying your account is suspended lol but next time you order you just put the correct details back in,it's not a problem.

    Cant seem to take my CC details off Play. Have tried 16 random digits but it says its the wrong length :o
  • yummy.scrummy.mummy
    yummy.scrummy.mummy Posts: 310 Forumite
    100 Posts
    hallmark wrote: »
    Sorry but you are wrong. And I do work in IT security & have for 20+ years. Unless you are using obsolete & weak encryption (which is as bad as using none) people will NOT be able do decrypt your data "without having too many problems". Real-life hackers are not like what you see on TV, they don't have magic powers, and they can be easily defended against if companies care enough to do so.



    Again, the above is only true if the systems are not protected adequately in the first place. Proper security measures will stop the above. And proper security measures will also stop "inside-jobs" FWIW, the companies I work for audit the actions of internal users nearly as closely as external threats.

    Lush clearly have inadequate security. The flippancy of their website comments to the "hacker" confirms that they are rather clueless as to the seriousness of the various issues involved.

    i dont watch hackers on TV thanks, but as soon as you create something which you think is secure there is always going be other people who can make that unsecure so new advances need to be made. you can crypt it all you want but there will still be people out there who will be able to do it. to think that you are fully protected from hackers is naive, there are people out there who can get into anything they want whether you are encrypted well or not.

    anti viruses are supposed to be secure, but can you trust them? no because there will always be ones which go undetected. you can create as much software and security as you want but it wont be fully secure for aslong as people want to gain access. its pretty stupid to say that it should be impossible for anyone to get into their details, im sure people could hack into the most secure of servers given time. if you have worked in IT for 20 years i would of expected your naivity to be a little bit less. these are people who probably hack for a living and live off what they manage to take off others. i bet most sites wouldnt even recognise if their databases had been accessed and it goes unnoticed a lot of the times
    Who would say I couldn't make you mine? You were mine since th' beginning of time. Who would say we were far apart? You ever reside in the core of my heart?
    :A
  • metoyoubear
    metoyoubear Posts: 1,438 Forumite
    debjay wrote: »
    Cant seem to take my CC details off Play. Have tried 16 random digits but it says its the wrong length :o

    It won't seem to let you change that,or at least i can't get it to work so i changed the start date and the cv number instead.
  • SallyG
    SallyG Posts: 850 Forumite
    edited 21 January 2011 at 1:34PM
    Me too dammit - seriously scared
    I rang my bank yesterday evening as soon as I saw the email from Lush.
    Bank said there were 2 "unauthorised" O2 payments on the debit card.
    I didn't make any payments to O2.
    They hadn't appeared in my online statement - still haven't today.
    I cancelled debit and credit card used to buy online from Lush.
    The bank advised cutting up both cards but hanging on to them in case I eventually had to send them to the bank - something about in case of those O2 payments "being authorised"
    Why would I have to do that and what does "unauthorised" mean when used by the bank about card payments?
    Is there anyway someone in possession of card details and address can use that to defraud further/steal id/open accounts in my name now that the cards have been stopped?
    Will I carry on buying online or start ringing in my order like I used to with the old catalogue mail order companies?
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244K Work, Benefits & Business
  • 598.9K Mortgages, Homes & Bills
  • 176.9K Life & Family
  • 257.3K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture