- Phil Lieberman: Lush hack is a potential brand destroyer
The Web site of Lush, the natural ingredients cosmetic firm, was reportedly cracked and subverted by hackers last week. Unconfirmed reports suggest that customers' payment card details have already been used by fraudsters.
According to Phil Lieberman, president of privileged identity management software specialists Lieberman Software, whilst reports of the site hack only broke on the newswires late on Friday, forum postings suggest the hack has been subverting customer payment card details for some time.
"This appears to have been confirmed by Lush, which says that anyone who placed an online order between October 4 and last Thursday should contact their bank in case their payment card has been compromised," he said, adding that the BBC reports that customers are now complaining about fraudulent purchases.
This saga is a potential brand destroyer, says Lieberman, as the cosmetics firm could have handled the situation better. One needs only read the comments on the Lush Facebook page, Lieberman added, to see the anger and frustration of the company’s past customers.
“The bare minimum response of companies who undergo similar attacks is usually to fully disclose of the scope of the breach, offer a frank apology, and provide a year’s worth of no-cost credit checks for impacted consumers,” said Lieberman. Instead, the company simply said it was aware of the problem.
"I agree with consumers who say that the retailer’s response has been inadequate,” he added. “The company should have responded earlier and with more appropriate action – especially since this organization has been in the industry for several decades and, while portraying itself as a small and laid-back company, is in reality a major chain with a multi-million pound turnover.”
Lieberman went on to say that the firm could face punitive fines from the Information Commissioner's Office, as well as an investigation under the PCI DSS security rules form the Payment Card Industry Security Standards Forum. Whilst it's unlikely that Lush will lose its ability to process card transactions as a result of the incident, the firm could find that its commission rates will rise - adding substantially to its cost of doing business in the wake of the fiasco.
"This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay big penalties on several fronts," he said.
"The real damage lies in the fact that the reputation of the company - which prides itself on customer service and an eco-friendly approach to its products - will take a battering. There are a lot of customers who will be tempted to buy elsewhere, and that is a stark reality," he added.
"Other firms who are concerned about their own Web site and card security arrangements would do well to sit up and take notice.
While Noa Bar Yosef attributed the hack to numerous security vulnerabilities
The Web site of Lush, the natural ingredients cosmetic firm, has reportedly been cracked and subverted by hackers, with reports that customers' bank details have already used by fraudsters.
Lush is urging all customers who bought products online as far back as October to check for fraudulent transactions. So far 43 customers have had their cards used by fraudsters. The thieves bought 02 top-up cards, probably in preparation for larger raids. Below is a comment from Noa Bar-Yosef, Imperva’s Senior Security Strategist, on the hack (below is a screenshot of Lush’s website on Friday):
Looking further into the hack and what has happened, Noa Bar Yosef observes:
- It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.
- The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behavior.
- In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.
- The attack clearly shows that Lush was in breach of PCI DSS compliance.
- Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.