Can a video of singing lemmings make up for having your credit cards stolen?

Filed Under: Data loss

LushThe cosmetics store Lush is making the headlines for all the wrong reasons today, as they announced they were suspending online sales after their website was broken into by hackers.

In a statement on the site, the handmade cosmetics firm explains that customers who purchased goods online between 4 October 2010 and 20 January 2011 may have had their credit card details stolen as a result of the security breach:

We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

Lush warning on their website

In a tongue-and-cheek message to the hacker, Lush said it admired the hacker's "formidable" skills but would not be offering him a job.

If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.

In perhaps the most bizarre twist of all, Lush has posted a video of toy lemmings singing a song by Elbow on its front page.

Although the news for customers is very worrying, Lush is clearly trying to present the news in a warm-and-cosy way.

Lush says they are trying to cheer themselves up, but you have to wonder if their customers would be wise to spend five minutes watching the stuffed toys singing their song rather than checking their bank account for unexpected activity.

If I were a customer of Lush's website I wouldn't feel like smiling this morning.

It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach. Was it at the same time as they posted the message on the front page of their website, or have they known for longer?

And was the customer credit card information not encrypted? If it had been strongly encrypted then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.

Judging by comments on Twitter and Facebook from affected customers, some don't appreciate Lush's attempts to smooth the waters and might have been happier with a more sober and thoughtful response - such as links to advice about what to look out for.

It's also unclear whether Lush has emailed affected customers, or if it is relying on users' visiting their website to hear about the security breach. Certainly anyone who bought a "difficult female relative" some nice-smelling soap for Christmas is unlikely to visit the site in the immediate future.

Update: Thanks to Naked Security reader Julie who forwarded us an email she received from Lush, notifying her of the security breach:

Lush notification email

All companies need to treat the security of their customers' personal information and credit card data seriously to reduce the chances of hackers being able to cause harm and corporate embarrassment.

, , , ,

You might like

10 Responses to Can a video of singing lemmings make up for having your credit cards stolen?

  1. Mark · 1687 days ago

    It's unlikely the "hacker's" skills were all that formidable. I hope the little brat gets what he deserves. Sympathies to Lush and their customers. They must have been feeling a little depressed and tried to lighten their own moods but, I agree, a light-hearted YouTube video is probably not what their customers really want to see right now.

  2. Mark · 1687 days ago

    Comments I've read under the related YouTube video:

    One user writes: "At least Lush were decent enough to email everyone who could be affected and shut down their website so nobody else went through this. Very few businesses would actually do that."

    Another user writes: "On the other hand, they did not pass on their customer care mail addresses and phone numbers, I had to find it. Last but not least, I have just discovered that the script flaws of Lush website were known for months.. (multimedia and computing press)".

    Of course, I haven't confirmed that any of the above claims are true so take it with a pinch of salt until otherwise confirmed.

  3. Jessica Benjamin · 1687 days ago

    As someone who purchased from Lush UK in November, I am one disgusted customer that I got the news that this had happened from an online Forum rather than an e-mail from Lush UK. When I called I was told that the email must be in my spam folder. It wasn't.

    THAT is no way to treat customers you want to keep.

  4. guernseygal · 1687 days ago

    They say they have sent emails to all customers that have used their website for purchases between 4 Oct 2010 and 20th of Jan 2011 ( ask me how I know) Now waiting for bank to send me a new card having put a block on the current one. Nothing untoward has happened on the account so that is a relief and I am grateful to them for alerting me ( unlike a different company 2 years ago) The first that I knew about that one was when the bank froze my account and wrote to me to inform me that my card had been used to purchase various plane tickets - no I wasn't panning any trips :-(

  5. Martin · 1687 days ago

    It's going to be interesting to see who and how heavy Lush get hit by the various regulation out there.

    My prediction: ICO to hit Lush with 7 figure fine.

    PCI - could be interesting if Lush have self certified. From what I've seen the only real choice would be to suspend the ability of the company to process card data. If one good thing to come from this it will be that this may be a wake up call to others that proper security and data practice is not an expensive nuisance but a requirement of doing business of today's online world. For Lush however that horse has well and truly bolted.

  6. julieanne · 1687 days ago

    Not suprising - they are a VERY CHEEP company -
    I worked for them and made a tad bit over minimum wage despite having been told when I was hired that there would be bonuses, ect. Of course that rarely happened.
    They do not practice what they preach - i.e. they like to brag about how much "charity" they give out as a company (mind you, all tax deductible) all while a few of the employees I worked with were on FOOD STAMPS. Doesn't make sense, does it? I mean they are selling a bar of soap for $20.00 - they need to get a grip.

  7. Ronnie · 1686 days ago

    As someone who has been a very loyal Lush customer for quite some time, I have to say that right now I'm feeling a bit outraged.

    I subscribe to their official Facebook page, and was initially only aware of website downtime through that. Yesterday was the first time I had seen any mention of a website hack on their feed.

    Reading this blog post has been the first- and only - report I've read of customer credit card details potentially being compromised. In the channels through which I follow Lush, this was not explicitly stated. Ever. Now, to a small amount of credit, they apparently posted about this on Thursday through Facebook, but it seems I simply missed it.

    However, just as seriously, they did not explicitly state the nature of the breach at all. They merely said, " Lush Limited would like to alert all of our UK online customers to the message on our website. :("

    Sorry, were they too full of pride to come right out and say to the world, "Our website was hacked. If you ordered from us online between 4 October and 20 January, your credit card details may have been compromised. Visit our website for more information and advice."

    Because really, with something like this, that's what should have happened. A massive, loud alert through multiple channels, not just a sad face and a cryptic message.

    And as an aside, I also haven't received this supposed email, spam box or no. Their newsletter, however, certainly makes an effort to arrive in my inbox every month.

  8. Sue · 1686 days ago

    I got an email but have never used the website to place an order, I always call.

    As for the lemmings, that had been planned for some time, as you would see if you watched it. Its about Monday being the most depressing day of the year, and was not designed to placate cross customers, it would have been there hackers or not.

  9. I find the idea that they stored consumer card details in plain text absolutely unfathomable - and the fact that they passed a PCI DSS certification makes the whole thing even more ludicrous.

    The "hacker" will likely be a 14 year old lithuanian with a set of basic injection and pen-testing tools, who lucked out. The developer responsible for making such a poor technical decision should be flayed.

    Speaking of which, who made Lush's site?

  10. Mark · 1684 days ago

    It obviously shows that they don't actually perform security testing on their E-Commerce site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley