In part, the site statement says:
We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.
We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.
Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry out further security checks.
Lush is working with Police... [the statement continues]
So, this statement is telling customers that there was a breach in the AU/NZ site and that it follows a similar breach at the UK operation a couple of weeks earlier identifying that transactions on the UK site between 4th October and 20th January have been breached (the statement notes that they "hope that we have overestimated the timeframe involved, in order to minimise the amount of customers involved").
Analysis continues on page 2.
As yet, neither operation has given any clues as to the source of the breach, although typically such eCommerce hacks are targeted at the SQL server.
A major question that needs to be addressed is why two related sites have suffered similar breaches within weeks of each other. Another is did the local Lush website manager test the validity of his site's security within seconds of hearing about the UK incident as would be expected. If so, then why did a similar breach occur yet again? It is not known whether the ACCC will get involved with this latest incident but it would not be a surprise.
"Again we would like to say that we are truly sorry and thank our customers for standing shoulder to shoulder with us during this difficult time."
Lush Australia has been contacted for comment.