MSE News: Fraud risk for thousands after Lush website hack 21 January 2011 at 1:01PM in Health & beauty MoneySaving 25 replies 4.1K views

Former_MSE_Guy

This is the discussion thread for the following MSE News Story:

"Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen. ..."

Read the full story:
Fraud risk for thousands after Lush website hack

This thread is to discuss this news story. Another thread on the topic was started last night.

ShaneUK

Congratulations to Lush on taking down the WHOLE website - and stopping all online orders until rectified.

I love their comment to the hacker as well!!

oakhouse13

"For complete ease of mind"

Well if that is its concern, it could share what it knows about how many cards and why just it's UK website - Lush.fr for example is still trading.

Gordon_the_Moron

I love the comment to the hacker too :-)

Jesthar

oakhouse13 wrote: »

"For complete ease of mind"

Well if that is its concern, it could share what it knows about how many cards and why just it's UK website - Lush.fr for example is still trading.

Speaking as a professional Systems Administrator, I would say that:

1. If you are unfortunate enough to suffer a security breach, openly advertising to the hackers just how successful or otherwise they were is NOT a good idea. It tends to encourage both them and others of their ilk.

2. From the information we have, it sounds like only the UK site has been targetted. The websites in country are almost certainly hosted and maintained independently within that particular company, not all run from one central location. Given that Lush will now know how the attack was executed, they can update and protect the other sites as required to prevent a similar attack from succeeding there. The problem with the UK site now is not protecting it against another similar attack, but that the code of the website itself could have been fatally compromised with backdoors and other snoopware by the hackers. Better to pull it, bin it and start again, even though a lot of work is involved in that.

And Lush have done just that, so kudos to them for handling a nasty situation with both decisiveness and a sense of humour!

corbyboy

Getting your website hacked is just one of those things that happens now and again.

But if I were a Lush customer I would be demanding to know why credit card numbers are being stored on their database. What business do they have keeping a record of these numbers?

gould300

Well I'm one of those affected - this morning someone, somewhere added £1,000 to my credit card balance - according to my card provider it was from a clothes shop (though they didn't stipulate which one). They've suspended my card and the fraud team will be contacting me tomorrow to discuss it.

Though mistakes happen it seems to have taken lush the best part of a month to tell it's customers. Looks like this second round of attacks attracted the attention of someone there who thought it might be wise to mention it. Incompetent muppets.

vikingaero

Jesthar wrote: »

And Lush have done just that, so kudos to them for handling a nasty situation with both decisiveness and a sense of humour!

So "decisiveness" is over 3 weeks in the IT industry? Seems like Lush knew for a while and didn't want to compromise their Xmas and New Year sales. Any other company and they would be slated, but because it's "ethical and lovely" Lush they can do no wrong?

snowberry

The other day I posted on the o2 scam page as money had been taken from my account. As I ordered online with Lush in December, I wonder if they are linked?

Catslovelycats

I got one of their warning emails and am a bit out out that they didn't shut it straight away.
I wonder if this problem is linked in any way with when they shut the website down when the sale was on.
Not sure I shall want to buy online form them again after this. However much they are/aren't to blame.
It's certainly made me think twice about online shopping in general.
I check my cc balance everyday as it is and shall be continually doing now.

Catslovelycats

gould300 wrote: »

Well I'm one of those affected - this morning someone, somewhere added £1,000 to my credit card balance - according to my card provider it was from a clothes shop (though they didn't stipulate which one). They've suspended my card and the fraud team will be contacting me tomorrow to discuss it.

Though mistakes happen it seems to have taken lush the best part of a month to tell it's customers. Looks like this second round of attacks attracted the attention of someone there who thought it might be wise to mention it. Incompetent muppets.

hope it all gets sorted for you quickly