A recent story highlighted the failings of the ecommerce site of UK-based cosmetics group LUSH to properly secure numerous vulnerabilities. The exposures took place through a sustained hacking attack dating back over a number of months, according to reports. Customer bank details were exposed throughout this time and numerous customer credit card numbers have already been used. Customers who bought products online as far back as October have been advised to check for fraudulent transactions. The site at this time is still down and an apology is on the front page. They even went so far as to half-jokingly offer the hacker a job.
This exposure of data indicates a significant lapse in PCI compliance regulations. Penalties for this kind of incident are quite severe and the reputation of this company will take time to recover if it ever will at all. There’s a reason for those severe penalties- incidents like this can shake a consumer’s trust in online purchase safety.
It is interesting that in their own statement, Lush described “24 Hour Monitoring” but it apparently was ineffective to detect this breach for nearly four months. This is just plain sloppy. What could have been done differently? Well a centralized logging system most certainly detect and report all access, authorized or not, in any case. Security event monitoring would have produced timely results. Those things and due attention to PCI compliance would have averted this whole mess.
The entire internet needs to pay heed to security, compliance and standards. The safety of customer data is no laughing matter and the very foundation of internet commerce is the trust in the sites that we visit and buy from.