Hackers can obtain the bank details of thousands of customers in a lush, a cosmetics company acknowledged yesterday.
The Hacker News

The company invites all our customers who have purchased products online during the month of October to check fraud.

To date, 43 customers had their cards are used tricks. Thieves bought 02 top-up cards, possibly in preparation for large-scale raids.

Popular: offers retail chain £ 150m a year
Lush has removed its web site and visitors are now greeted with a video of lemmings dance and a warning of security breaches. He said: "To ease of mind, we want all customers who placed online orders with us between October 4, 2010, and today to contact their banks for advice, that their card information may have been compromised. " In a sarcastic message sent "pirates", added: "If you read this, our web team would like to say that your talents are formidable.

"We want to offer you a job -. If this was not the fact that your morality is clearly not compatible with our or our customers"

Lush said the purchases made in store or by mail were not affected and a new website will be launched in the coming days take only PayPal payment.

The company discovered the illegal activity on Christmas Day. A spokesman said: "We are all confused here - we have a very close relationship with our customers, so we have immediately reported.

"We understand that confidence in us has taken a hit and we lost business resulting from the closure of our site, but we were determined to be open and transparent about it. "

Despite assurances by the company, customers have complained about the delay in reporting them.

Lush stores across the country have been hit by hunt supporters

One, Patrick Taylor from Blackpool, said: "Lush do good things and seems to be a cool company, but when they noticed the hack, they should have closed the site and notified its customers.

"Thousands of us have been affected by this."

Graham Cluley, senior consultant, said: "Why are credit card information the customer is not encrypted? If it had been heavily encrypted so that even a hack could be embarrassing, customers would not necessarily be at the risk of fraud.

All companies need to address the safety of their customers personal information and credit card data to seriously reduce the risks of piracy to be able to cause harm and embarrassment to the company. "

Consumer groups urged the company to communicate with affected customers directly.

Bath Matt, director of technology Which? Said buyers who have used the password that can be achieved Lush other pages must be changed immediately.

"Hackers can use this information to enter into other accounts on the Web," he added.

"Be wary of unsolicited e-mail and can get Lush or third parties." Established a 58-year-old Mark Constantine, in 1994, Lush has made large donations directly activities, including hunting saboteurs and opponents of airport expansion.

Handmade cosmetics chain has more than 600 stores in 43 countries, sales figures of more than £ 150 million a year.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.