Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Lush Response To Web-Site Hack Inadequate

Lieberman Software : 25 January, 2011  (Technical Article)
Sustained vulnerabilities on cosmetic company website which led to customer card fraud could lead to significant damage to the company's brand after lush provides a weak response, stating nothing beyond its awareness of the problem, according to Lieberman Software
The Web site of Lush, the natural ingredients cosmetic firm, was reportedly cracked and subverted by hackers. Unconfirmed reports suggest that customers' payment card details have already been used by fraudsters.

According to Phil Lieberman, president of privileged identity management software specialists Lieberman Software, whilst reports of the site hack only broke on the newswires late on Friday, forum postings suggest the hack has been subverting customer payment card details for some time.

"This appears to have been confirmed by Lush, which says that anyone who placed an online order between October 4 and last Thursday should contact their bank in case their payment card has been compromised," he said, adding that the BBC reports that customers are now complaining about fraudulent purchases.

This saga is a potential brand destroyer, says Lieberman, as the cosmetics firm could have handled the situation better. One needs only read the comments on the Lush Facebook page, Lieberman added, to see the anger and frustration of the company’s past customers.

“The bare minimum response of companies who undergo similar attacks is usually to fully disclose of the scope of the breach, offer a frank apology, and provide a year’s worth of no-cost credit checks for impacted consumers,” said Lieberman. Instead, the company simply said it was aware of the problem.

"I agree with consumers who say that the retailer’s response has been inadequate,” he added. “The company should have responded earlier and with more appropriate action – especially since this organization has been in the industry for several decades and, while portraying itself as a small and laid-back company, is in reality a major chain with a multi-million pound turnover.”

Lieberman went on to say that the firm could face punitive fines from the Information Commissioner's Office, as well as an investigation under the PCI DSS security rules form the Payment Card Industry Security Standards Forum. Whilst it's unlikely that Lush will lose its ability to process card transactions as a result of the incident, the firm could find that its commission rates will rise - adding substantially to its cost of doing business in the wake of the fiasco.

"This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay big penalties on several fronts," he said.

"The real damage lies in the fact that the reputation of the company - which prides itself on customer service and an eco-friendly approach to its products - will take a battering. There are a lot of customers who will be tempted to buy elsewhere, and that is a stark reality," he added.

"Other firms who are concerned about their own Web site and card security arrangements would do well to sit up and take notice."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo