If you visit the Lush Cosmetics Australian website you will find a single banner page announcing that the site has suffered a "Privacy Breach." This is contained as a single JPG image with no other links on the page. In fact if you use your favourite search engine to find sub-pages, they all return a 404 error. It would appear that the entire site has been removed from the server and the single banner page put in its place.
In part, the site statement says:
We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.
We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.
Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry out further security checks.
So, this statement is telling customers that there was a breach in the AU/NZ site and that it follows a similar breach at the UK operation a couple of weeks earlier identifying that transactions on the UK site between 4th October and 20th January have been breached (the statement notes that they "hope that we have overestimated the timeframe involved, in order to minimise the amount of customers involved").
According to the UK statement, customers HAVE suffered fraudulent transactions on their credit cards although it is unclear whether these transactions were the first Lush knew of the issue or whether it was uncovered by their own monitoring.
As yet, neither operation has given any clues as to the source of the breach, although typically such eCommerce hacks are targeted at the SQL server.
A major question that needs to be addressed is why two related sites have suffered similar breaches within weeks of each other. Another is did the local Lush website manager test the validity of his site's security within seconds of hearing about the UK incident as would be expected. If so, then why did a similar breach occur yet again? It is not known whether the ACCC will get involved with this latest incident but it would not be a surprise.
"Again we would like to say that we are truly sorry and thank our customers for standing shoulder to shoulder with us during this difficult time."
Lush Australia has been contacted for comment.
News Source : Google
