UPDATED 13:26 EDT / FEBRUARY 01 2011

Lush credit hack was preventable

A recent story highlighted the failings of the ecommerce site of UK-based cosmetics group LUSH to properly secure numerous vulnerabilities.  The exposures took place through a sustained hacking attack dating back over a number of months, according to reports.  Customer bank details were exposed throughout this time and numerous customer credit card numbers have already been used.  Customers who bought products online as far back as October have been advised to check for fraudulent transactions.  The site at this time is still down and an apology is on the front page.  They even went so far as to half-jokingly offer the hacker a job.

This exposure of data indicates a significant lapse in PCI compliance regulations.   Penalties for this kind of incident are quite severe and the reputation of this company will take time to recover if it ever will at all.  There’s a reason for those severe penalties- incidents like this can shake a consumer’s trust in online purchase safety.

It is interesting that in their own statement, Lush described “24 Hour Monitoring” but it apparently was ineffective to detect this breach for nearly four months.  This is just plain sloppy.  What could have been done differently?  Well a centralized logging system most certainly detect and report all access, authorized or not, in any case.  Security event monitoring would have produced timely results.  Those things and due attention to PCI compliance would have averted this whole mess.

The entire internet needs to pay heed to security, compliance and standards.  The safety of customer data is no laughing matter and the very foundation of internet commerce is the trust in the sites that we visit and buy from.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU