Lush scraps site after data breach

lushHome-made cosmetics brand Lush has scrapped its online store,, after admitting that it was hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of having their card details stolen.
Lush has taken down its website and replaced it with a statement: “We would like all customers that placed online orders with us between 4 Oct 2010 and 20 Jan 2011 to contact their banks for advice as their card details may have been compromised.”
It continued: “24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.”
E-commerce sites are regularly suspended if security breaches are discovered, then restored once the problem is fixed. However, it is highly unusual for a company to completely scrap a site.
The cosmetics retailer plans to launch a new website in the next few days, which will initially only accept PayPal payments. In the meantime, it is urging customers to phone a mail order line to order products.
In a bizarre twist, the website also carries a statement for the hacker, which reads: “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”
Earlier this week, DecisionMarketing revealed that simple tool-kits enabling criminals to hack into a site are available for as little as £10.

Related stories:
£10 buys cyber crime toolkit

Print Friendly