Lush customers should check their credit card statements – more websites hacked


LushLush, the handmade cosmetics firm, has shut its Australian and New Zealand websites after hackers apparently gained access to online customers’ personal data.

In a statement posted on its website it “urgently” warns customers who have made online purchases to check with their banks to see if their credit card details have been abused.

It is less than a month since the firm had to issue a similar warning to its UK online customers.

Lush website message

Our website has been the target of hackers

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customes who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry our further security checks.

There’s some interesting wording in the advisory. For instance, Lush says that its Australian and New Zealand websites are not linked to the UK website, but it doesn’t say that they haven’t suffered from the same vulnerability that allowed the hackers to gain access on the British site.

Furthermore, you have to wonder if Lush was storing its customers credit card information with secure encryption if they are concerned that customers could find that their details are being abused.

Lush says that it has contacted the police regarding the incident, and will send emails to all customers that they believe may have been affected

Last month, Lush attempted to cheer the spirits of affected customers by sharing a video of puppet lemmings singing a song.