LUSH - Important News - UPDATED

ramper77 · 21 January 2011 at 3:53AM

I just checked their site, and for me their written response is juvenile and rather bizarre. When someone has their credit card details taken, it's not a subject to make light of, especially by the people you expect to keep those personal details safe.

just_me_okay · 21 January 2011 at 4:04AM

As someone who works in the I.T world I can tell you Lush are going to be in serious trouble because of this. Lush should NOT be storing credit card information where it can be accessed via a public server, I am taking a guess that the information was NOT encrypted. God knows how many Data Protection and credit laws they have broken.

The website hack was out of there control (maybe) but the fact that the information was there in the first place means they are in deep trouble to say the least and from what I have read here some people have had there I.D stolen, it must of been a lot more information than just the credit card information that was stored publicly.

ffnameary · 21 January 2011 at 4:15AM

Evil hackers!

StumpyPumpy · 21 January 2011 at 6:12AM

I don't know what happened at Lush and, as with everyone else on this thread, I can only speculate as to what may have happened, but as I don't shop at Lush either perhaps I can give a more objective opinion.

I think it is highly unlikely that "They knew about this months ago". No webmaster I know would keep an eCommerce site running while customers' details were harvested, as shown with Lush as they have pulled the plug completely. And that decision has nothing to do with the customer: it is good business sense and practical sense. If they had knowingly let an attack continue to compromise their customer accounts they would become liable (as individuals) and possibly criminally liable too. Apart from that, it would ruin their reputation as a secure web retailer. Many websites have been hacked and had user accounts compromised, suffering a dip in trade as a result. The ones that didn't recover from the dip tended to be the ones who got caught trying to cover it up. The web is likely to be Lush's most profitable store, so even if the customers continued to buy Lush products in high street stores, but boycotted the site, Lush would lose money.
The 4th October date for the start of the attack might be slightly arbitrary (it is a Monday) or, more likely, they had a system upgrade over the preceding weekend which exposed a security flaw that the hackers were exploiting. It was also the first day of the 4th quarter (calendar) so they could do housekeeping on their data and the customer data for the previous quarter was archived/deleted/moved. Or maybe, just maybe, little Jimmy in sales who was taken on in October has just been escorted from the Lush building.
Other possibilities are that a 0-day hack was released that day (don't know what system they ran so don't know if there was) Or they ran through some server log files and were able to identify when a breach occurred - which can be a mammoth task and is often fruitless.
I make these points only to highlight the myriad of different reasons (and there are many others) why Lush may have been able to state the starting point, that has nothing to do with them knowing about the attack months ago. But I know none of this as fact.

If you have ordered during this period, what should you do? First step, as has been mentioned, is to phone to cancel the card you used. Don't bother to look to see if you have actually been hacked yet. You might not have been but your cc details might still be out there in the hands of bad guys who haven't got around to using it. You might need to go through statements to identify which card you used if you have several cards. If you don't know which one it was: cancel them all, better to be safe than sorry. Be aware that if you rely on the card(s) for day-to-day spending you may not have access to any money for a couple of weeks while new cards are sorted out; so an early morning trip to the cashpoint may be in order first - but don't leave it too long before cancelling. After that, you can double check the statements to see if you have been hit. Second, consider what other personal information you shared with the Lush website. I never held an account with them so I don't know what it asked for beyond name, address & cc - I will assume password also. You must consider all this information compromised unless authoritatively told otherwise. Though with name & address there is little you can do about it. If you have used a password elsewhere, you need to change it in the other places. I would also advise you change it if you used a site/password combo where you use the same core password encapsulated by letters from each individual site (ie LmypasswordC for Lush Cosmetics and FmypasswordB for Facebook) Trust me: the hackers are wise to this trick as they are to most of the others touted as "secure" in the press. In all likelihood, the password will have been held in a properly encrypted manner and won't be compromised; however, it isn't worth the risk of not changing it. Consider if Lush asked for any other information that maybe useful to a hacker eg password reminder questions. Also be extra vigilant with any emails you receive containing links or files to the email you used with Lush.

As an aside, their website may have used a friendly/cool/hip/trendy/right-on/with-it tone generally (delete as appropriate to move me into 21st century dialect) but in these circumstances, while I understand what they were intimating, their flippant comments about the hacker come over as unprofessional. And, although as a bystander I find the lemmings video cute, I don't think I'd be very appreciative of it if several thousand pounds of mine had gone missing and I'd just lived for a week on the change I could find down the back of the sofa while my credit cards were replaced.
It's ok to let the kids control the place when everything is running fine but when things go pear-shaped like now; they should really have some adult supervision.

SP

meerustar · 21 January 2011 at 8:49AM

I've updated the first post with more info to make it easier for people rather than reading through the whole thread.

If you spot any unusual transactions on your card, let us know and I'll add it to the OP.

hallmark · 21 January 2011 at 8:54AM

zenseeker wrote: »

It's not the companies fault that hackers got in

Of course it is. It's their responsibility to have adequate security measures in place. Stopping hackers is not difficult if you take appropriate measures.

yummy.scrummy.mummy · 21 January 2011 at 9:19AM

just_me_okay wrote: »

As someone who works in the I.T world I can tell you Lush are going to be in serious trouble because of this. Lush should NOT be storing credit card information where it can be accessed via a public server, I am taking a guess that the information was NOT encrypted. God knows how many Data Protection and credit laws they have broken.

The website hack was out of there control (maybe) but the fact that the information was there in the first place means they are in deep trouble to say the least and from what I have read here some people have had there I.D stolen, it must of been a lot more information than just the credit card information that was stored publicly.

i dont think they are so stupid to not encrypt their data. hackers are hackers, if they can gain entry to a database then they can decrypt the information on there with little problem. you have to realise that the skill these people have wouldnt stop just because the data is encrypted as it would be easy for them to decrypt

lucym · 21 January 2011 at 9:37AM

lucym wrote: »

We did too...plus a £300 wine order made directly after the o2 prepay 'test' transactions - our Lush order was made in December.

Just want to add that our bank told us that the mobile top up transactions are just used to test your account/card before making larger purchases elsewhere.

westv · 21 January 2011 at 10:14AM

My bank (HSBC) contacted me on the 11th to tell me my card details may have been compromised. I made an order with Lush in December. If the two are connected why has it taken Lush a further 9 days to make it generally known?

msgigglewick · 21 January 2011 at 10:29AM

im guessing you all know when you have malware on your pc's without running a virus scan, etc. No thought not. Its not lushs fault they got attacked. Though maybe they should have had more checks in place looking for loopholes in the servers etc. But that isn't the staffs fault just their IT department.

the hacker/s were very clever. AS any pay system the staff who has access to the pc's would only be able to see name, address and the last 4 digets of the card used. the rest would show up as *****, the hacker/s would have placed something on their servers running in the background without their knowledge... Since so many people have been affected the police are involved and maybe it was the police tracing all these hits back to lush?

As i said on the first page my mother was a victim here and it really affected her sleep, she felt she had been spied upon etc. Its taken me a few weeks to try and put her straight shes not! and know she knows lush's systems were at fault she actually felt relieved it wasn't her pc etc.

What can you learn from all this? i guess keep checking your account when you use your cards online? maybe just have one account open you use just for online purchases etc, check for the secure sites symbol on the sites. And never use a site that doesnt' have the visa verification system set up?

LUSH - Important News - UPDATED

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free