Credit card details stolen by Lush hackers
04 March 2011
Cosmetics company Lush has admitted its out-of-date computer system has left thousands of its customers vulnerable to hackers. Shoppers using Lush's online stores in Australia and New Zealand have been urged to cancel their credit cards today after the company's website was targeted by cyber thieves. Lush Australasia director Mark Lincoln has told ABC News Online their online customer database has been stolen. He says Lush customers were not informed their credit card details were being stored on the database and he understands why customers would be upset about that. "They wouldn't have been informed that they were kept," he said. He says a failure to keep the website updated left customers exposed to the hacking attack. "The code that the website was written in was a very old version and it hadn't been updated, so it was a legacy from that code," he said. It follows a similar attack on Lush's UK parent company in January, when a security lapse left customers exposed to hackers for four months. "Following the events that happened in the UK with our parent company, we started reviewing the security arrangements for our sites and reviewing the process of capturing orders and how they were processed," Mr Lincoln told ABC News Online. "We were actually in the process of deleting those details from our database, so we had become aware that was an issue, and we were in the process of making changes to the code." But Mr Lincoln says shutting down the website to protect customers was not an option. "We had discussions with our web-hosting provider who believed the site had not already been compromised, so we believed the best thing to do was to carry on and put in further monitoring and further security precautions," he said.
