|  Home   |  Forums   |  News   |  Blog   |  Reviews   |
 Satellite   Digital TV   IPTV   Cable   HDTV   Computers   Apple   Games   Mobile Phones   Broadband   Internet   Security   Telecoms   USB   VoIP   Wireless   Science 

January 22, 2011

Exactly when did Lush know about security breach?

Bookmark and Share

by Darren Allan

You may recall yesterday that we reported on the security breach at the Lush cosmetics website.

The firm has taken its main site down, replaced by a message stating that it has been hacked, and the hackers are still attempting to access the web page. An unknown number of customer credit card details have been siphoned off – the company hasn’t said exactly how many.

In fact, it’s been rather coy with details on the whole, as ever-present security commentator Graham Cluley of Sophos notes on his blog.

He makes several good points, such as whether the customer card information was encrypted, as you would think it should have been. With strong encryption, those whose financial details have been compromised aren’t necessarily at risk.

Although it’s clear from the company’s Facebook page alone that a number of customers have been exposed to fraud or attempted fraud.

Perhaps the most telling point, however, is when Lush actually discovered this security hole? Was it yesterday, when the site was shut down and the placeholder message put up? Or have they known for longer?

ZDNet UK’s security analysis column claims: “Some security experts have questioned Lush’s timing in notifying customers of the breach. The company has acknowledged that it discovered the issue in late December, yet affected transactions include ones placed in January.”

The same article states that the cosmetics firm initially responded to the breach by investigating and putting “extra security measures” in place. It was only when the latest hack attempt was discovered that the site was taken down.

Cluley also questions whether Lush has notified those affected by the incident directly via email, as you would hope. However, the company has answered that question on the placeholder site now, writing: “All customers potentially exposed to this breach were sent an e-mail on 20 January 2010.”

A temporary Lush online ordering site is expected to be set up in the next few days, which will use PayPal only. For the moment, you can only order via the phone (or in retail shops, of course).

Story link: Exactly when did Lush know about security breach?

Discuss this in the Techwatch Forums

Special offers on iPhones

Related news to "Exactly when did Lush know about security breach?"

No Comments »

No comments yet.

Leave a comment

Connect with Facebook

Previous: «
Next: »

Tags: , , , , , , , ,

Visited 487 times, 114 so far today