Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Lush Security Breach Avoidable With Protective Monitoring

LogRhythm : 26 January, 2011  (Technical Article)
LogRhythm comments on the unacceptability of taking extended periods of time to detect and act upon Lush e-commerce web site security breaches, exposing the company's customers to data fraud risks
UK cosmetics group Lush has been forced to shut down the e-commerce section of its website in response to repeated hacking attacks since Monday 4 October 2010. While the company claims to have 24 hour security monitoring, customers were first alerted to the breach on Thursday 20 January 2011, over three and a half months after the initial attack.



LogRhythm, a log management and regulatory compliance specialist, argues that had true protective monitoring been in place, Lush would have been alerted to the attacks instantly. Customers have since reported fraudulent use of their card details, individuals that would have been protected had Lush warned them of the breach at an earlier date.



“Yet another security breach underlines the need for effective monitoring, and yet again it is the consumer that pays the price with their data,” said Ross Brewer, VP and MD of international markets at LogRhythm. “Taking almost four months to detect a security breach is unacceptable and the monitoring system mentioned in Lush’s statement is clearly not up to the job. Centralised logging and security event management platforms automatically monitor the millions of logs and audit trails generated daily by every IT related action, while also reporting and alerting on suspicious or unexpected activities that warrant special attention. Had such a system been in place there is no way this incident could have occurred.”



By neglecting to adequately protect the data held on its site, Lush may also have failed to meet PCI compliance regulations. This may result in onerous penalties for the company, including being stripped of its ability to accept credit card payments online.



“There is an implication that Lush may have overlooked PCI rules, an allegation it has failed to deny when asked,” continued Brewer. “Bob Russo, general manager of the PCI Security Standards Council, has spoken in favour of centralised logging, stating that without it, organisations are likely to miss important data. He said that it is a “proven fact that every time we find a breach, it’s always found in the log”. With penalties becoming ever more costly and with the EU data protection supervisor, Peter Hustinx, calling for tougher laws, it is essential that organisations deploy the intelligent, automated and centralised solutions required to secure IT systems.



“This security breach should serve as a warning to others. Lush will struggle to repair its reputation as the incident will have severely damaged relations with its existing customers and harmed its chances of attracting new ones. Recent LogRhythm research found that 66 percent of UK customers try to avoid future interactions with organisations found to have lost confidential data, while 17 percent resolve never to deal with them again*.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo