By James Tozer
Last updated at 4:13 AM on 22nd January 2011
Computer hackers may have obtained the bank details of thousands of customers of Lush, the cosmetics firm admitted yesterday.
The company is urging all customers who bought products online as far back as October to check for fraudulent transactions.
So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids.
Popular: The chain boasts sales of 150m a year
Lush has decommissioned its website and visitors are now greeted with a video of dancing lemmings and a warning about the security breach. It said: 'For complete ease of mind, we would like all customers that placed online orders with us between October 4, 2010, and today to contact their banks for advice as their card details may have been compromised.' In a sarcastic message addressed 'to the hacker', it added: 'If you are reading this, our web team would like to say that your talents are formidable.
'We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.'
Lush said purchases made in shops or via mail order had not been affected and a new website would be launched in the next few days taking payment solely through PayPal.
The firm found out about the illegal activity on Christmas Day. A spokesman said: 'We're all distraught about this – we have a very close relationship with our customers, and that's why we notified them straight away.
'We understand that confidence in us has taken a hit and we have also lost business as a result of closing our website, but we were determined to be open and transparent about this.'
Despite the company's assertions, customers complained of the delay in informing them.
Lush stores across the country have been targeted by hunt supporters
One, Patrick Taylor, from Blackpool, said: 'Lush makes nice stuff and seems to be a cool company, but as soon as they noticed the hack they should have shut down the website and notified customers.
'Thousands of us will have been affected by this.'
Graham Cluley, a senior technology consultant, said: 'Why was the customer credit card information not encrypted? If it had been strongly encrypted then, although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.
All companies need to treat the security of their customers' personal information and credit card data seriously to reduce the chances of hackers being able to cause harm and corporate embarrassment.'
Consumer groups urged the company to contact affected customers directly.
Matt Bath, technology editor at Which?, said shoppers who used the passwords with which they accessed the Lush site for other web pages should change them immediately.
'Hackers may use this information to get into other web-based accounts,' he added.
'Be on your guard for any unsolicited email you may receive from Lush or any third party.' Founded by 58-year-old Mark Constantine in 1994, Lush has made large donations to direct action groups including hunt saboteurs and opponents of airport expansion.
The handmade cosmetics chain has more than 600 stores in 43 countries producing sales of over 150million a year.
I was also contacted by my bank to regarding suspicious transactions on my account, 2 Transcactions of 1.00 , it turned out to be the pay at the pump option that some fuel stations have on the pumps, when you put your debit or credit card in it checks your account is active and caple of making the transaction (amongst other things I suppose) before allowing fuel , They took 1.00 out then refunded the 1.00, but it was an American financial company that was shown on my account statement which added to the confusion. not sure if all pay at the pump fuel stations do it this way.
- Daveyboy-uk, cannock, 22/1/2011 19:18
Report abuse