The Lush breach - what happened?

David Heath
Wednesday, 16 February 2011 12:40

Business IT - Security

Following a discussion with a representative of Lush Cosmetics, more information is available regarding Monday's web site breach.

Previously, iTWire reported on the dual breaches of the Lush UK (on January 20th) and Lush Australian (on February 14th) sites.  iTWire was able to talk with Mark Lincoln, a Director at Lush about the incident.

iTWire: Upon hearing of the UK incident, what steps were taken in Australia to confirm the local site was not susceptible to the same problem?

Lincoln: We immediately contacted our IT provider and ran a number of security checks.  We also implemented additional monitoring services with the hosting company.  We also commenced work on recommended changes to the website aimed at addressing some identified weaknesses in our site.  We are devastated that these were not able to be implemented in time to prevent this crime happening.

iTWire: When did you discover the Australian web site breach and how was it identified?

Lincoln: We were advised yesterday of an unauthorised access to the site.  It was identified by the hosting company's monitoring service.

iTWire: Is this Australia / New Zealand 'incident' comparable with the UK one?  What was similar and what was different?

Lincoln: The local forensic investigators are currently looking into the breach.  As part of the process they will contact the UK investigators and compare the attacks.

iTWire: Is it the same software that was used in the UK?

Lincoln: No.

iTWire: When will all potentially affected customers be personally informed?

Lincoln: As a precautionary measure we advised all customers on the same day we were notified of the breach - we are awaiting a report from the forensic investigators before we can comment on how many people have been affected.

Next, we discuss the actual data that was exposed.