Lush hack due to numerous security vulnerabilities
Posted on 24 January 2011.
The Web site of Lush, the natural ingredients cosmetic firm, has reportedly been cracked and subverted by attackers, with reports that customers' bank details have already used by fraudsters.

Lush is urging all customers who bought products online as far back as October to check for fraudulent transactions.

So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids. Below is a comment from Noa Bar-Yosef, Imperva’s Senior Security Strategist, on the hack (below is a screenshot of Lush’s website on Friday):


Looking further into the hack and what has happened, Noa Bar Yosef observes:

1. It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.

2. The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behavior.

3. In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.

4. The attack clearly shows that Lush was in breach of PCI DSS compliance.

5. Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.





Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //