Handmade cosmetics group Lush has admitted its website was hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of having their card details stolen. But the company only informed customers last night.
Lush has taken down its website and replaced it with a statement: "We would like all customers that placed online orders with us between 4 Oct 2010 and 20 Jan 2011 to contact their banks for advice as their card details may have been compromised."
The beauty company warned: "24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter".
Customers will be unable to make purchases until a new site is launched "in a few days" accepting only PayPal payments, but orders are still being taken via its mail order telephone service, which the cosmetics group said had been unaffected by the "crisis". Customers who paid by card in Lush stores are also unaffected.
Rik Ferguson, a consultant at security company Trend Micro, said he knew someone who had used the site for an order and subsequently seen fraudulent orders of £1,700 made against it. "The risk of these card numbers being used has already moved from theoretical to reality," he said.
The fact that Lush is warning customers to contact their banks may indicate it has failed to encrypt the details held on its site – which, if true, could mean it has failed to meet regulations known as PCI compliance, which governs the storage of card details by websites in Europe.
That, in turn, could at worst see Lush stripped of its ability to accept credit card payments online. The Lush site said it would be launching a separate site "in a few days", which would accept PayPal payments only. PayPal transactions do not require PCI compliance. The company did not respond to a request to explain whether it had conformed to PCI standards before this story was published.
Lush posted a video of dancing lemmings alongside its statement to "try to share a smile" and added an amusing message for the hackers: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers".
Graham Cluley, senior technology consultant at computer and web security firm Sophos and a respected blogger on the subject, said: "If I were a customer of Lush's website I wouldn't feel like smiling this morning. It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach. Was it at the same time as they posted the message on the front page of their website, or have they known for a while longer?"
Many customers are also speculating why it took Lush so long to inform customers if the website was first hacked in October, especially as its statement indicates it has 24-hour web security.
One post on Twitter read: "So Lush knew they were hacked since Christmas and they've JUST decided to share the info? Disappointed, really am". Another Tweet said: "I don't care if Lush products are eco friendly or not. I care if they keep my bank details secure". Another claimed: "I still have my emails from Lush dated back to 2007 in which they admit to having serious glitches and 'gremlins' with their website".
Patrick Taylor, a Lush customer from Blackpool, told the Guardian: "Lush makes nice stuff and seems to be a cool company, but as soon as they noticed the hack they should have shut down the website and notified customers. Thousands of us will have been affected by this. My girlfriend is now having to check her credit card details."
Victims were also posting messages on the Lush Facebook page. One wrote: "We've had our card compromised and used in fraudulent transactions just three days ago. It has now been cancelled and we have no way to access our money."
There was also speculation as to how long Lush had been holding on to customer's financial data in an unsecure environment. One Lush victim said: "We used Lush's site back in late Nov. They must have been holding our details unencrypted since then."
'Security is of paramount importance'
In a statement Lush said: "We became aware in late December that www.lush.co.uk had been the subject of attacks by hackers. Our customers' security is of paramount importance to us and as soon as we realised this was the case, we immediately took down our UK website and a thorough investigation followed and extra security measures put in place.
"24-hour monitoring has shown that another attempt to hack our UK site has been made and again, we have taken down our UK website as a precaution.
"We are horrified that this has happened, we understand the distress of those affected and we appreciate our customers' continued support while we resolve the matter. We will be continuing to work with our credit card acquirer to carry out a full investigation in to this hacking attempt."
Lush has in the past been praised by green campaigners for not using animal fats in its products, as well as its stance against animal testing – it performs tests with human volunteers instead. The group has also sold products that pass on the full purchase price to charities, as well as promoting various charities on its product packaging.
Loyal customers are defending the company and praising it for the way its statement was written. One Twitter user wrote: "I like the way Lush is handling the hackers that have shut down its online trading". Another wrote: "Some horrible people have hacked Lush website … they need to get a life and leave the lovely peeps at Lush alone".
Cluley said Lush appeared to be adopting a "social media response" to the security breach. "Although the news for customers is very worrying, they are trying to present the news in a warm-and-cosy way," he said. "I do wonder, however, how well customers will take news that their credit card details may have been compromised – and may not appreciate Lush's attempts to smooth the waters."
He added that it would have been more helpful if Lush had linked to information showing people how to tell if their credit card is being abused and the next steps affected customers should take. Instead, Lush customers are merely advised by the company to contact their bank or credit card provider for advice.