The Web site of Lush, the natural ingredients cosmetic firm, has reportedly been cracked and subverted by attackers, with reports that customers' bank details have already used by fraudsters.

Lush is urging all customers who bought products online as far back as October to check for fraudulent transactions.

So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids. Below is a comment from Noa Bar-Yosef, Imperva’s Senior Security Strategist, on the hack (below is a screenshot of Lush’s website on Friday):


Looking further into the hack and what has happened, Noa Bar Yosef observes:

1. It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.

2. The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behavior.

3. In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.

4. The attack clearly shows that Lush was in breach of PCI DSS compliance.

5. Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.