Lush Website Hacked - Christmas Profits over Damage Limitation?

As I sure most of you are aware by now, the Lush UK website fell victim to hackers this week. Resulting in the website being taken down and replaced with a single page explaining the current situation. 

So if you did order anything from the UK Lush site between 4th October and 20th January 2011 it really is important that you contact your bank to make sure nothing has been taken from your account. 

The page also includes a video of dancing Lemmings to apparently help Lush customers 'share a smile', which to be honest may has raised a smile for the customers that haven't been affected but I'm sure the little dancing rodents will be only creating frowns for the customers left without a cash card this week.

Slightly inappropriate video aside... I do feel the actual information that Lush has given so far has been on the light hearted side and not that helpful. With only the mail order telephone being given on the temporary holding page, so you can make sure you place your urgent order of ballistic bath bombs! 

I mean really! Where is the Customer Service helpline or at least a website link for further information on how to tell if your credit card has been abused (example - Get Safe Online). 
There really does seem more information on when a new Paypal version of the site will be up and running!

As for the hacking of the website itself - really don't get me wrong, it is a terrible thing to happen to Lush and all of it's customers. 
However at the end of the day Lush is responsible for protecting all customer information and sadly I think this is were they have really gone wrong - with lack of encryption of the data held on the website to the mis-information being given since Lush found out about the attacks back in December!

From looking over past Lush tweets and reading recent statements from Lush is it clear that they knew of the attacks to the website in late December (though the first hack happening in October) - when they actually closed there site temporarily on the 26th December, tweeting -

''We're working on the UK website and hopefully it will be available again soon.
 Really sorry for the inconvenience''

They further closed there website on the 29th December, again with no mention of the site being under attack, tweeting -

"The Lush website is having a little downtime after Christmas but you can still order at 01202668545"

Not surprisingly there Christmas sales figures were up 6.8% for the month of December. 

Which really does make me wonder if they kept there customers uninformed of the risk of fraud until the 20th January so not to see a drop in there sales.

Either way this will hit Lush hard as I am sure alot of customers will not be buying from them online again. 

I just hope the people that have been affected can recover all the funds that have been stolen. 
Which is what Lush should also be focusing on right now.



  1. They say it's beyond their control, but most websites now have spent the money to make their website hacker proof so why hasn't Lush? It's the customer that's had to suffer from this. I'm just glad I hadn't ordered during the time period or my mum wouldn't be too happy ;) xo

  2. this is SO incredibly unfortunate! i hope the banks sort this all out for the customers. i've been a victim of "possible" debit card fraud 3 times in 2 years and i know how frustrating it is to be without one.

    as for lush's actions, well... part of me wants to give them the benefit of the doubt since i'm sure none of us know the whole story. but at the end of the day, they are a business. that doesn't justify their actions AT ALL, but it leads me to be a little unsurprised. still disappointed on behalf of their customers, but unsurprised nonetheless.

  3. I agree with everything you have said Fee.

    Im unfortunately one of the people to suffer, as I found out today when I saw payments had been took out of my bank to 02.

    Im extremely upset about the whole thing. My bank has been fantastic and are refunding my money for me.

  4. Oh dear, I got some stuff from my boyfriends family over Christmas - I sincerely hope it wasn't bought online :-(

    I don't actually feel like there's been enough info sent out here at all.

  5. My bank called me a couple of weeks ago to say that the police had been in touch with them with a list of card numbers that they had thought were stolen and mine was amongst them, so they were cancelling my card and would refund any money that had been stolen. When I asked the bank how this could have happened they said it would be as a result of a website being hacked - I got an email from Lush this morning saying that I may have been affected and whilst it thanks me for standing "shoulder to shoulder with them" it doesnt go so far as to offer an apology. As you rightly say, the key thing is for sites to take responsibility for the security of their customers information and Lush seem to have failed on that. Luckily on the whole banks are very good about refunding, but it is a pain waiting for your new card.

  6. Ahh, I wonder if that is why I received a latter from my bank saying my card had been used and the fraud investigation team needed to speak to me. Card has been stopped, money will be refunded but now I have to wait for a new card too! Grr.

  7. I was quite close to making an order a few days ago - luckily I didn't and went into a store instead. I'm really annoyed that they knew about the problem and continued to keep the website open - that's a huge lack of care for their customers.

  8. Although it shouldn't of happened, unfortunately it has. No matter how much security it is placed on a site, if people REALLY want to hack it they will.

    I placed an order over the time, and have had to contact my bank and cancel my card just like everyone else. Yes it is an inconvenience. But I do also think it was good of Lush to inform its customers, a lot of other companies wouldn't.

  9. I can't believe in todays online world, a popular website can allow this to happen and not immediately take action! the hackers must have seen a flaw in their web security and took advantage straight away! not good!

  10. I've just found out about this and realised that my mum ordered one of my Christmas presents from their website, but hopefully she hasn't been targetted by the hackers! It's scary!

  11. Ughh come on lush! It's not like the internet JUST debuted yesterday. I'm probably going to stick to the stores from now on.

  12. it really makes me thinking about how careless we are buying stuff online always trusting that companys are worried about our security. but in fact hacking is quite common

  13. This does not surprise me at all, and the way they have responded is laughable and so unbelievably unacceptable. Like Dragana has said it makes you think twice, we put far to much trust into online stores. Hope you have a great weekend Fee

  14. Great post, very intriguing. I was a lucky one, my last order was placed on 3rd October - talk about cutting it fine! Poor show on Lush and the page they have left up is an insult really - not even a helpline number or link for customers affected! Definitely not ordering online from Lush again xx

  15. Maybe you Ladies arent tech minded but Lush were using Joomla content system and a free shopping cart called Virtue Mart.
    These programs are free Open Source software, although the Lush site was highly customised in design and usage. The downside is that hackers can download ALL the source code to these free programs and inspect the security for flaws.
    The upside is that flaws are found and fixed by the developer community pretty quickly, but often not quick enough as in the case of Lush. Somebody wasnt doing there job properly. In the event that they knew of the breach and carried on trading, it should be a Police matter in my opinion.
    Also there are many issues to website security, not just the software running the highly complex code but the computer (called a server) also runs code to operate and connect to the Internet. Security settings not implemented can give access to the website code and thus a successful hacking attempt.
    If I were Lush I would sell everything through an Ebay Shop now and use the current domain as a redirect to the Ebay Shop. Paypal would do the transactions and instantly gain back some credability for security and customer care.
    Unfortunately, even the largest websites with the best coders get hacked too. i.e Google China. In one 18-minute period last April, the traffic from up to 50,000 computer networks around the world was allegedly redirected through China before being rerouted to its final destination.

    Computer technology far extends the casual users knowledge or abilities so you really are at your own peril online I am afraid to say. The money men wont tell you that!

    If you need any more info you can read it here on my website.

    PS This is why im 44 and I spend too much time on the net instead of dreaming of romance? lol


I love to hear what you think and do read all comments.
If you want to ask a question make sure to check back after afew days for a reply.

Blogger Template Created by pipdig