Not so Lush

Lush Cosmetics seem to be the latest Australian retailer to have suffered a credit card breach.

From the article:

"Yesterday we were contacted by the web hosting provder to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holds and working through the process of how to address the problem and what steps we need to take."
"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."
 While I do applaud the company's reaction of going public immediately and contacting their 39,000 Australian customers, I do find it a little disturbing that security comes under "enhancements" - it does make it sound like a luxury add-on (eg: leather car seats) as opposed to a pretty fundamental requirement (eg: seatbelts or airbags).
Real details on the breach are scarce, so there's no indication if they were storing credit card numbers in cleartext (hello PCI-DSS!) or if they suspect the bad guyshad just pwned the server and were capturing transactions as they occurred.

I guess the good news it that it is hitting the major news sites down under - so other businesses may review their web security and ask themselves "have we done enough?"

0 Response to "Not so Lush"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme