Lush customers should check their credit card statements - more websites hacked

Filed Under: Data loss, Law & order, Privacy

LushLush, the handmade cosmetics firm, has shut its Australian and New Zealand websites after hackers apparently gained access to online customers' personal data.

In a statement posted on its website it "urgently" warns customers who have made online purchases to check with their banks to see if their credit card details have been abused.

It is less than a month since the firm had to issue a similar warning to its UK online customers.

Lush website message

Our website has been the target of hackers

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customes who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry our further security checks.

There's some interesting wording in the advisory. For instance, Lush says that its Australian and New Zealand websites are not linked to the UK website, but it doesn't say that they haven't suffered from the same vulnerability that allowed the hackers to gain access on the British site.

Furthermore, you have to wonder if Lush was storing its customers credit card information with secure encryption if they are concerned that customers could find that their details are being abused.

Lush says that it has contacted the police regarding the incident, and will send emails to all customers that they believe may have been affected

Last month, Lush attempted to cheer the spirits of affected customers by sharing a video of puppet lemmings singing a song.

, , , , ,

You might like

One Response to Lush customers should check their credit card statements - more websites hacked

  1. This could have been as simple as inserted code acting as a keylogger to a remote site via a hidden iframe on the payment page. No need for lush to have stored the credit card details in an unencrypted form, in fact no need for them to have stored them at all.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley