The Register® — Biting the hand that feeds IT

Feeds

Luckless Lush hammered in hack

Australia site of bath bomb retailer blitzed

By Register AU staff, 14th February 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Australian cosmetics retailer Lush has pulled the kill-switch on its web store following a security breach.

In a statement that replaced its home page on Tuesday, Lush Australia says it has been alerted that the security breach may have exposed customers' credit card information. The statement directs customers to contact their bank to discuss whether cancellation is warranted.

In spite of the similarity to a similar breach of Lush's security in the UK, the company claims the two incidents are not related.

"Our Website is not linked to the Lush UK Website, which was recently compromised," the company's statement said.

Update: card theft confirmed

According to a report by the ABC, Lush has since confirmed that card details were stolen, along with the company's entire customer database.

Lush Australasia director Mark Lincoln says customers would not have been aware that their card details were kept. The ABC report says the vulnerability occurred because of a "failure to keep the Website updated".

The company told the ABC it does not know how long breaches may have been occurring. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (12)
Highly Rated
SirTainleyBarking

May not be "Linked"

But I wouldn't be surprised if the same basic construction / code was used, with the only differences being the sales text and some of the pictures. You'd have thought that they would have checked the first time around.

Instead of developing lumpy soaps on a rope prehaps they should divert their attention to clue sticks and security, as this is just embarrassing

4
0
MegC

Gits

I was one of the effected customers fromt he UK site, quite annoying as I definately didnt tick any "Please remember my card details" box.

Apparently they knew before christmas about the problem on the UK site but held out on letting anyone know because it might scare off the christmas punters, the police should be bloody investigating them as well as the hacker that did it. When I rang the bank to cancel my cards etc... they said they'd had tonnes of people ringing to cancel because of emails from Lush.

1
0
Glen Turner 666

Why?

Remind me why Lush needed to keep people's credit card details?

1
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
122
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39