BreachExchange mailing list archives
Lush Looks For Answers In Security Breach That Could Cost Customers Thousands
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 22 Jan 2011 15:45:22 -0500
http://www.reviewsofelectronics.com/lush-looks-for-answers-in-security-breach-that-could-cost-customers-thousands/225726/ Popular cosmetics chain Lush has been attacked by hackers, with consumer credit card information and personal details having been used for fraudulent purchases. It appears as though the hackers may have been stealing sensitive data for up to four months, and Lush has advised consumers to contact their banks if they thought their details had been used by the hackers. On January 21st, a message on the Lush home page explained the situation and the online shop were shut down. Based on what people are saying on Lush’s Facebook fan page, people are far from happy. People complained about having to cancel their credit cards from fear of exploitation and many claimed to have lost money as well. The biggest complaint seems to be that Lush took so long in noticing the breach in security. Shop Lush Cosmetics Securely With Amazon Security expert Rik Ferguson has commented on the attacks, saying the stolen money could be a significant sum. He writes the following on his Trend Micro blog, “I was initially alerted to the attack by one of my own friends whose card, along with her husband’s, have subsequently been used to make fraudulent purchases totalling almost £6000 ($8150) from well-known online retailers.” Lush’s ethical director, Hilary Jones, explained that as of Christmas Day Lush became aware that some hacking may be taking place. Between Christmas and New Year, Lush worked towards investigating whether the hacking was legitimate, and Hilary Jones spoke out about why all customers had to be immediately alerted when fraudulent claims were verified. Jones stated, “As an ethical company we could not keep that information to ourselves…we had to tell a huge raft of customers”. Jones also alleges that the four month period that customers were warned about was not an accurate time frame, and was a measure of overprotection so any at-risk consumers would be compelled to check their bank statements carefully. The Lush web site is no longer operational, but a new shop will soon be available in a few days that will only be accepting PayPal. Lush is currently investigating how the hackers managed to break encrypted files and successfully take credit card information. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Lush Looks For Answers In Security Breach That Could Cost Customers Thousands Jake Kouns (Jan 22)