COSMETICS company Lush is trying to placate customers around the world after hackers broke into its website.
The Poole-based firm yesterday closed its UK site after card details were passed to fraudsters.
It urged customers who used the site between October 4 to January 20 to contact their banks.
The firm said it discovered the hacking in late December and some customers have criticised the delay in going public.
The company’s Facebook page was attracting around 125 comments an hour – including many people whose card details were used in January, often months after they had used Lush.co.uk. The firm said it has sent warning emails to customers and is launching a temporary version of the site using the online payment service Paypal.
Its site carried a message to the hackers, saying: “We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”
Reported frauds included figures ranging from £15 to 800 euros, spent on items including XBoxes and mobile phone top ups.
Karine Frei from Metz in France told the Daily Echo: “My credit card was hacked, my boyfriend’s too, and the only payments we made were on Lush.co.uk.
“There is a French Lush forum and lots of girls are so angry.”
Customer Amanda Greaves said on Facebook: “Thank you Lush for telling us. But sooner would have been better.”
Chris Allen said on the company’s Facebook account that fraudsters used his details three months after he used the Lush website.
He said: “Lush must have been holding our unencrypted details since then.”
He added: “Security every bit as important as your ethical products or friendly service.”
A spokesman for the Information Commissioner’s Office said: “If the details were unencrypted that potentially would be of interest to us.”
Andy Headington, from secure website specialists Adido Solutions of Dean Park, Bournemouth, said the “most shocking” part was that Lush must have stored customers’ details.
He said: “We never recommend that.
“You need a big infrastructure to back it up.”
He added: “I think someone must have been aware it was doing that.”
Lush’s ethics director Hilary Jones said it had been a “hellish” time and that organised crime was usually responsible for such attacks.
She said the firm discovered a hacking attempt on Christmas Day and the site was closed over the New Year as a precaution but the attacks resumed in January.
The fraudsters were making test purchases on £15 phone top ups and criminals sometimes hold onto the data before using it, she said.
A forensic expert is carrying out an investigation and that until that was completed it she could not comment on issues of storing data and encryption.
Lush also said in a statement: “We are horrified that this has happened.
“We understand the distress of those affected and we appreciate our customers’ continued support while we resolve the matter.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel