Lush Looks For Answers In Security Breach That Could Cost Customers Thousands

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.reviewsofelectronics.com/lush-looks-for-answers-in-security-breach-that-could-cost-customers-thousands/225726/

Popular cosmetics chain Lush has been attacked by hackers, with
consumer credit card information and personal details having been used
for fraudulent purchases. It appears as though the hackers may have
been stealing sensitive data for up to four months, and Lush has
advised consumers to contact their banks if they thought their details
had been used by the hackers.

On January 21st, a message on the Lush home page explained the
situation and the online shop were shut down. Based on what people are
saying on Lush’s Facebook fan page, people are far from happy. People
complained about having to cancel their credit cards from fear of
exploitation and many claimed to have lost money as well. The biggest
complaint seems to be that Lush took so long in noticing the breach in
security.

Shop Lush Cosmetics Securely With Amazon

Security expert Rik Ferguson has commented on the attacks, saying the
stolen money could be a significant sum. He writes the following on
his Trend Micro blog, “I was initially alerted to the attack by one of
my own friends whose card, along with her husband’s, have subsequently
been used to make fraudulent purchases totalling almost £6000 ($8150)
from well-known online retailers.”

Lush’s ethical director, Hilary Jones, explained that as of Christmas
Day Lush became aware that some hacking may be taking place. Between
Christmas and New Year, Lush worked towards investigating whether the
hacking was legitimate, and Hilary Jones spoke out about why all
customers had to be immediately alerted when fraudulent claims were
verified. Jones stated, “As an ethical company we could not keep that
information to ourselves…we had to tell a huge raft of customers”.
Jones also alleges that the four month period that customers were
warned about was not an accurate time frame, and was a measure of
overprotection so any at-risk consumers would be compelled to check
their bank statements carefully.

The Lush web site is no longer operational, but a new shop will soon
be available in a few days that will only be accepting PayPal. Lush is
currently investigating how the hackers managed to break encrypted
files and successfully take credit card information.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/