Lush hack due to numerous security vulnerabilities
Posted on 24 January 2011.
The Web site of Lush, the natural ingredients cosmetic firm, has reportedly been cracked and subverted by attackers, with reports that customers' bank details have already used by fraudsters.

Lush is urging all customers who bought products online as far back as October to check for fraudulent transactions.

So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids. Below is a comment from Noa Bar-Yosef, Imperva’s Senior Security Strategist, on the hack (below is a screenshot of Lush’s website on Friday):


Looking further into the hack and what has happened, Noa Bar Yosef observes:

1. It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.

2. The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behavior.

3. In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.

4. The attack clearly shows that Lush was in breach of PCI DSS compliance.

5. Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.





Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victim’s financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if you’re using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //