Lush suffers website hacking

Cosmetics retailer Lush has been forced to take its website offline after hackers gained access to customers’ personal data.


The site has been replaced with a statement which warns customers that credit card data has been compromised.


“We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers,” it says.


“We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.”


The security breach has promoted industry security experts to issue security warnings about the risks associated with online payments.


IP Payments chief executive Mark Lewis says the Lush example of credit card theft highlights the huge risk that comes with failing to comply with security standards.


“Not only does it cause reputational damage and financial implications to a business when sensitive data is compromised but it also genuinely puts real people’s credit card information at the risk of theft,” he says.


Lewis says Lush’s announcement that customers should investigate cancelling credit cards suggests the company may have failed to abide by industry standards.


“It suggests they were running a back-end application that had not been secured. It is part of a business’s obligation to protect credit card data,” he says.


“If all the tools are set up it’s extremely unlikely that hackers would be able to break in. They would have to break through peer-reviewed encryption algorithms.”


Peter Sparkes, Symantec senior manager for the managed services team, says PCI industry standards are a basic measure for protection and all businesses need to find out how they can comply.


“I’d emphasise these are just minimum standards as well. The PCI industry has 12 effective requirements and those are broken down but they are quite minimal – firewalls, testing and so on. Anyone handling credit card data should look at them,” he says.


“After [a] transaction has been completed don’t store that data if you can help it. Segment as much of the physical and virtual data that you can, so only minimal amounts of people have access to those systems.”


Simon Howe, Acronis country manager for Australia and New Zealand, says the fact that Lush was forced to dismantle its website is a nightmare for many ecommerce operators.


“Any downtime is costly and that is exacerbated in an ecommerce environment,” Howe says.


PayPal Australia managing director Frerk-Malte Feller called for more education in the area of online security.


“The loss of [Lush] consumers’ personal data … highlights a need for stringent payment solutions and a partnership between industry and retailers in assuring a robust and secure system is in place,” Feller says.


“Operating an online store has wide-ranging benefits, to Australian retailers … from reaching new customers both at home and overseas to decreasing costs.


“Whilst these benefits are great, making the move online should be well planned and security should sit at the heart of any online strategy.”


Notify of
Inline Feedbacks
View all comments
SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.