Last month’s compromise of the UK website of the natural ingredients cosmetic firm Lush and the theft of its customers’ credit card details must have hurt the company but unfortunately, its troubles are not over yet.
“We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked,” it says in a statement posted on the sites in question, whose contents have been completely removed while security checks are performed.
“We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers. We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if canceling their credit cards is advisable,” encourages the company.
Whether that means that Lush hasn’t been storing that data in encrypted format or whether it really wants to cover all bases just in case, it’s anyone’s guess. It’s also unknown whether the attacker(s) compromised all the sites in the same way – the statement only says that the UK site and the Australian and New Zealand sites are not connected.