Lush admitted it did not know how long its servers had been compromised but was informed yesterday by the web-hosting company that its servers had been breached, the company's director, Mark Lincoln, said.
"Yesterday we were contacted by the web hosting provider to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holders and working through the process of how to address the problem and what steps we need to take."
Mr Lincoln said that his focus had been to contact customers first to warn them to cancel their cards.
"The customer database for Australian was 39,000," he said.
"We've contact every customer because at this early stage in the investigation we do not know who has been affected. We do not know how long this has been a problem."
Mr Lincoln was unable to say if the credit card details of customers were disguised when stored in the website's database as required under the Payment Card Industry Data Security Standard guidelines.
Mr Lincoln said the breach was so serious that the decision was made to immediately take the site down.
"We believe that this was a serious issue that we needed to communicate to our customers and not put them at risk," he said.
"We are in the process of building a new website. We'll incorporate any new enhancements out of this incident and would hope to have the new website up and running in the next eight weeks.
"We haven't thought that far ahead."
"There is a breach of trust.
"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."
In an email sent to customers this morning, the company urged customers who have placed an online order with the company to contact their bank to discuss cancelling their credit cards.
"While our website is not linked with the Lush UK website, it appears the Australian and New Zealand Lush sites have also been targeted," the letter read.
"As a precautionary matter, we have removed access to our website while we carry out further security checks."
No comments:
Post a Comment