NOW OPEN: the MSE Forum 'Ask An Expert' event. This time we'd like your questions on TRAVEL & HOLIDAY DEALS. Post by Wed and deals expert MSE Oli will answer as many as he can.
MSE News: Fraud risk for thousands after Lush website hack

1.7K Posts



This is the discussion thread for the following MSE News Story:
"Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen. ..."
"Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen. ..."
0
This discussion has been closed.
Latest MSE News and Guides
Replies
I love their comment to the hacker as well!!
Well if that is its concern, it could share what it knows about how many cards and why just it's UK website - Lush.fr for example is still trading.
If you do like it please hit the thanks button.
1. If you are unfortunate enough to suffer a security breach, openly advertising to the hackers just how successful or otherwise they were is NOT a good idea. It tends to encourage both them and others of their ilk.
2. From the information we have, it sounds like only the UK site has been targetted. The websites in country are almost certainly hosted and maintained independently within that particular company, not all run from one central location. Given that Lush will now know how the attack was executed, they can update and protect the other sites as required to prevent a similar attack from succeeding there. The problem with the UK site now is not protecting it against another similar attack, but that the code of the website itself could have been fatally compromised with backdoors and other snoopware by the hackers. Better to pull it, bin it and start again, even though a lot of work is involved in that.
And Lush have done just that, so kudos to them for handling a nasty situation with both decisiveness and a sense of humour!
But if I were a Lush customer I would be demanding to know why credit card numbers are being stored on their database. What business do they have keeping a record of these numbers?
Though mistakes happen it seems to have taken lush the best part of a month to tell it's customers. Looks like this second round of attacks attracted the attention of someone there who thought it might be wise to mention it. Incompetent muppets.
So "decisiveness" is over 3 weeks in the IT industry? Seems like Lush knew for a while and didn't want to compromise their Xmas and New Year sales. Any other company and they would be slated, but because it's "ethical and lovely" Lush they can do no wrong?
I wonder if this problem is linked in any way with when they shut the website down when the sale was on.
Not sure I shall want to buy online form them again after this. However much they are/aren't to blame.
It's certainly made me think twice about online shopping in general.
I check my cc balance everyday as it is and shall be continually doing now.
hope it all gets sorted for you quickly