Lush Cosmetics Australian website hacked

David Heath
Tuesday, 15 February 2011 11:17

Business IT - Security

The Australian and New Zealand shopping site of cosmetics retailer Lush has been hacked just weeks after a similar breach occurred on the UK site.  Credit card details and other intimate information of shoppers have been exposed.

If you visit the Lush Cosmetics Australian website you will find a single banner page announcing that the site has suffered a "Privacy Breach."  This is contained as a single JPG image with no other links on the page.  In fact if you use your favourite search engine to find sub-pages, they all return a 404 error.  It would appear that the entire site has been removed from the server and the single banner page put in its place.

In part, the site statement says:

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked.  We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted.  As a precautionary matter we have removed access to our website while we carry out further security checks.

Lush is working with Police... [the statement continues]

So, this statement is telling customers that there was a breach in the AU/NZ site and that it follows a similar breach at the UK operation a couple of weeks earlier identifying that transactions on the UK site between 4th October and 20th January have been breached (the statement notes that they "hope that we have overestimated the timeframe involved, in order to minimise the amount of customers involved").

 

Analysis continues on page 2.