25 Jan 2011
The web site of bathroom products retailer Lush has fallen victim to hackers. At the time of writing, the site displays the message: "We are sorry to confirm that our website has been the victim of hackers" as its header.
It also features a section titled 'To the hacker', which praises the cyber criminal: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers."
The company is urging all customers who bought products online as far back as October to check for fraudulent transactions. So far 43 customers have had their cards used by cyber criminals.
Noa Bar-Yosef, Imperva's senior security strategist, said: "It seems that the Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they're taking the web site down. It's not just one sole vulnerability that could have been quickly fixed, but lots of issues that would require a security overhaul."
He concluded: "The attack clearly shows that Lush was in breach of PCI DSS compliance."
Phil Lieberman, president of privileged identity management software specialists Lieberman Software, said: "This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay big penalties on several fronts," he said.
This breach should be embarrassing to Lush and any online retailer. The Payment Card Industry Data Security Standard has been around for years, and it’s not terribly difficult to follow. In fact, some analysts are recommending using it as a base for a company’s security model (see Forrester’s PCI Unleashed paper, http://www.loglogic.com/pci-unleashed). What this shows was that Lush was incredibly sloppy with their internal systems, since they did not follow the most basic of best practices.
Posted by: Bill Roth, CMO, LogLlogic 27 Jan 2011
Whilst the Lush website has been completely taken down, and this in itself is an extreme measure, this does seem to be a case of closing the stable door after the horse has bolted. I would agree with the fact that this should raise questions surrounding retailers and whether they are actually compliant. As a managed services company, we work to help our customers meet compliance regulations, to do everything they can to prevent such attacks.
Posted by: Juliette_msc 25 Jan 2011
Have your say on this article
Newsletters
Latest stories from Hacking
Latest videos
You may also like
Hacking jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Computing is pleased to announce the first Computing Summit, looking at how organisations can harness value and insight from big data. This one-day conference will provide practical insight into discovering and exploiting the value of unstructured data for improved business decision making, long term growth and competitive advantage.
Date: 28 Jun 2012
Time: 8.30am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
