Security Market Segment LS
Tuesday, 15 February 2011 12:17

Lush Cosmetics Australian website hacked


The Australian and New Zealand shopping site of cosmetics retailer Lush has been hacked just weeks after a similar breach occurred on the UK site.  Credit card details and other intimate information of shoppers have been exposed.

If you visit the Lush Cosmetics Australian website you will find a single banner page announcing that the site has suffered a "Privacy Breach."  This is contained as a single JPG image with no other links on the page.  In fact if you use your favourite search engine to find sub-pages, they all return a 404 error.  It would appear that the entire site has been removed from the server and the single banner page put in its place.

In part, the site statement says:

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked.  We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted.  As a precautionary matter we have removed access to our website while we carry out further security checks.

Lush is working with Police...
[the statement continues]

So, this statement is telling customers that there was a breach in the AU/NZ site and that it follows a similar breach at the UK operation a couple of weeks earlier identifying that transactions on the UK site between 4th October and 20th January have been breached (the statement notes that they "hope that we have overestimated the timeframe involved, in order to minimise the amount of customers involved").


Analysis continues on page 2.


According to the UK statement, customers HAVE suffered fraudulent transactions on their credit cards although it is unclear whether these transactions were the first Lush knew of the issue or whether it was uncovered by their own monitoring.

As yet, neither operation has given any clues as to the source of the breach, although typically such eCommerce hacks are targeted at the SQL server.

A major question that needs to be addressed is why two related sites have suffered similar breaches within weeks of each other. Another is did the local Lush website manager test the validity of his site's security within seconds of hearing about the UK incident as would be expected. If so, then why did a similar breach occur yet again? It is not known whether the ACCC will get involved with this latest incident but it would not be a surprise.

"Again we would like to say that we are truly sorry and thank our customers for standing shoulder to shoulder with us during this difficult time."

Lush Australia has been contacted for comment.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News