POOLE-based cosmetics firm Lush has said it will be months before a new website is ready after a hacking scam.

The firm closed its site after credit card details were stolen and passed on to fraudsters.

Lush is one of Poole's biggest employers with 500 staff and a worldwide headquarters on the Fleet Industrial Estate.

The firm's ethics director, Hilary Jones, said: "The temporary site will be ready soon, but the rebuilt site - that's a few months off."

She said the new website was being built internally.

She said the company didn't know what the effects would be on sales, saying looking after customers was the priority.

Lush discovered the attacks on Christmas Day and went public after they resumed.

The firm said cards used from October 4 onwards may have been affected but that this timescale was "erring very much on the side of caution".

Angry customers and security experts have speculated that the firm had been storing unencrypted personal data, but Lush says it is carrying out a forensic examination and will not comment until it has been completed.

Dr Paul de Vrieze, a Bournemouth University expert in web systems, said: "It's not clear if there was a database of credit card data or if the hackers put in some kind of bug that gathered information, which seems to be the case."

He added: "Lush will likely outsource the creation of a new site.

"But even the most secure site can get hacked if people really target you. Absolute security doesn't exist.

"It's a little bit like home safety - you can make your house safer, and then the burglars will target your neighbour's house.

"And if you make it very secure and spend a lot of money, your products become more expensive."

Hilary Jones said police advised the company that the costs and difficulties of chasing hackers - who are often criminal gangs based in countries outside the EU - made a prosecution unlikely.