Cyber attack exposes customers of Lush

Wednesday, January 26, 2011 - 10:21 by Mike Price

A hacking campaign which saw the e-commerce site of cosmetic retailer Lush laid bare, has resulted in the theft of customer card details and a real knock to the reputation of the business.

Various cyber attacks were apparently levelled at the online portal over a sustained period and as a result Lush was forced to take its site offline in order to address allegedly glaring security flaws, which made it particularly vulnerable to exploitation.

Any customer who logged onto the site and made a purchase between October 2010 and the end of last week, is being told to contact their banks and make them aware that their card details may have been stolen and could subsequently be used to commit acts of fraud by the cybercriminals behind the attack.

According to posts on Lush's Facebook group, there are several customers who have already suffered from misuse of their card details as a result of the hacking. Admittedly it is currently impossible to know whether Lush is to blame for these early reports of ID theft, but since it is its own customers making these claims it cannot be ruled out as a possibility.

The one consistent message from Lush customers is that they will not trust it again to provide safe shopping online and many will pass on this news to friends and family, perhaps irreparably damaging the levels of trust which consumers are willing to place in the firm.

Until Lush can clear up the security issues with its site, it has chosen to use PayPal as a means of taking payments for any purchases made in the near future. This is a temporary solution and it hopes to get its own payment system up and working as soon as possible, to ensure that safe shopping online is once again available to its customers.