Check your credit cards now - cosmetic company Lush hacked

Bitterwallet - Lush logoIf you ordered anything from cosmetics store Lush in the weeks leading up to Christmas - and up to yesterday in fact, you'll be wanting to check your credit card statements and call your bank. Several avid Bitterwallet readers have been in touch to say the online store's payments have been hacked - for the past three months.

Customers possibly affected, including reader Will, received an email from the business late last night:

We would like to draw your attention to the statement below, as we believe you placed an order with us during the affected period. We are keen for customers not to have their credit cards used fraudulently, so urge you to contact your bank.

Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

The Lush website has indeed disappeared, aside from a copy of the statement and a message to those responsible:

If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.

Reader Jason points out a pattern of issues faced by customers on Lush's Facebook page - several have had their card details used to top-up O2 and Xbox accounts to the tune of several hundred pounds, while there have been claims of money been stolen outright. More worrying are claims that Lush may have already been alerted to the problem:

Bitterwallet - Lush hacked, creck your credit cards

If you're a recent customer of Lush, you need to check your recent statements immediately and contact your card provider; the likelihood is that you'll need to cancel it since the details appear to be in the hands of a third party. Once your risk to fraud has been averted, you can ask Lush why it took them over three months to identify the problem and take action.


  • Rich
    You beat the BBC in reporting this story...well done :)
  • Mike
    PCI fail.
  • Viewer
    Cosmopolitan posted this news yesterday.
  • ex c.
    Not a single apology for their failings yet a rallying call to stand 'shoulder to shoulder'. Severe inconvenience at best for most customers, worse for others, and it appears they knew they were vunerable. Pity they put Christmas profit before the safety of their customers. I wont buy anything off them again, I hope other customers will join me. Lets stand shoulder to shoulder against these greedy idiots.
  • Denzil G.
    And what in Swansea are going on here??? Bournemouth echo beat you to this story!
  • Nob
    We don't believe in paying a little extra for your financial security.
  • nick
    That's the wrong logo. that's the logo of Lush in Washington (USA) get the UK one here
  • The G.
    Lush Statement: Meanwhile we would be delighted to serve you in our shops or take your order at our Mail Order Phone Room. Both of which have not been affected by this crisis since their credit card terminals are directly linked to the banks only and are not internet based. I take it they don't use an Online Authorisation statement, this means the card number will have passed through their EPOS system, to a SQL database, to the bank. It will be stored in probably a similar place to the orders placed on their websites. Depends how compromised they were. If they were storing complete credit card information on a "front end" SQL server (i.e. on a server with connectivity from the outside world) they were asking for this from day one.
  • Nibbler!/photo.php?fbid=377024205053&set=a.10150313433690054.556443.21899050053
  • Jason
    Bit of mis-interpretting in the article. The facebook status comments highlight many people having 2 transactions to O2 at £15 a piece (likely a fraud test to see if the bank / account holder notice, before attempting bigger transactions). You'll see mentions of ~£600 too, rarer and random purchases (Clothing and Electronics).
  • Rich
    Whats Swansea got to do with it? I'm from Swansea
  • Jason S.
    "24 hour security monitoring" ??? So why has it taken them 3 months to detect it??
  • Willson P.
    Jason, you can monitor until the cows come home, but you've got to: A. Give a shit when you find something 2. Do something about it iii. Put the security of customers personal information before a tidy profit I hope they end up on the BW Retail deathwatch list for this. Well, this, and their shops pollute the high street with cheap smelling shite
  • neil g.
    I really hope for there sake they had some form of website insurance!
  • J w.
    My daughter bought a load of Christmas stuff from Lush, but was fortunate in that her bank noticed a transaction for 550 pounds going out for electronic goods, and called her to question it. She'll not be liable, now, for the hacked amount. What a nightmare!

What do you think?

Your comment