Poor security lands soap firm in hot water

Over 40 Lush customers have had their card details used by cyber criminals

The web site of bathroom products retailer Lush has fallen victim to hackers. At the time of writing, the site displays the message: "We are sorry to confirm that our website has been the victim of hackers" as its header.

It also features a section titled 'To the hacker', which praises the cyber criminal: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers."

The company is urging all customers who bought products online as far back as October to check for fraudulent transactions. So far 43 customers have had their cards used by cyber criminals.

Noa Bar-Yosef, Imperva's senior security strategist, said: "It seems that the Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they're taking the web site down. It's not just one sole vulnerability that could have been quickly fixed, but lots of issues that would require a security overhaul."

He concluded: "The attack clearly shows that Lush was in breach of PCI DSS compliance."

Phil Lieberman, president of privileged identity management software specialists Lieberman Software, said: "This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay big penalties on several fronts," he said.