Create a free account, or log in

Experts warn Lush credit card and website fiasco highlights importance of security

The hacking and subsequent disconnection of cosmetics retailer Lush’s website is a warning for SMEs that credit card data should remain carefully encrypted and stored in a separate space that cannot be accessed by digital thieves, experts warn. The warnings come after Lush’s website was taken down by an anonymous group of hackers weeks after […]
Patrick Stafford
Patrick Stafford

The hacking and subsequent disconnection of cosmetics retailer Lush’s website is a warning for SMEs that credit card data should remain carefully encrypted and stored in a separate space that cannot be accessed by digital thieves, experts warn.

The warnings come after Lush’s website was taken down by an anonymous group of hackers weeks after a similar incident occurred to its British counterpart.

Lush was contacted for comment this morning but no reply was received before publication. It’s site remains down this morning.

Mark Lewis, chief executive of IP Payments, says the announcement from Lush that customers should investigate cancelling credit cards suggests the company may not have been strictly abiding by industry standards.

“From the initial reports I’ve seen it suggests they were running a back-end application that had not been secured. It is part of a business’s obligation to protect credit card data and they should accept the standards of the industry,” he says.

“If the website had been coded securely then they wouldn’t have been susceptible to these attacks and even if it was, that data shouldn’t have been vulnerable.”

Lewis says one of the PCI industry standards states that credit card information needs to be stored separately and encrypted in the back end of a website, so that even if it was compromised a hacker could not interpret it.

“If all the right tools are set up it’s extremely unlikely that hackers would be able to break in. They would have to break through peer reviewed encryption algorithms, which is pretty much unheard of,” he says.

“This is a very embarrassing situation. It shows that SMEs and large corporates need to know about a broader problem whereby many companies aren’t abiding by these principles.”

The Lush website has been replaced with a statement which warns customers that credit card data has been compromised.

“We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers,” it says.

“We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.”

But the issue isn’t just that credit card data has been compromised. Acronis country manager for Australia and New Zealand Simon Howe says the fact that the Lush website has been offline for some time is a nightmare for any e-commerce operator.

“This issue reinforces the issue of downtime that affects any business,” he says. “Now it seems as though the site has been taken offline to protect it from further attacks.

“But in any downtime scenario there is a huge cost and that’s something I would want to enforce. Any downtime is costly and that is exacerbated in an e-commerce environment.”

A recent report from Symantec has found that a website outage costs every small business an average of $32,000 per day.

Recent figures from the company’s report on the underground economy found that credit card information is the most advertised category out of all the goods and services being sold on the underground market, accounting for 31% of all trading.

The company also pointed out that stolen credit card numbers sell for as low as 10 cents and the average advertised stolen credit card limit is more than $4000.

Peter Sparkes, Symantec senior manager for the managed services team, says PCI industry standards are a basic measure for protection and all businesses need to ensure how they can comply.

“I’d emphasise these are just minimum standards as well. The PCI industry has 12 effective requirements and those are broken down but they are quite minimal – firewalls, testing and so on. Anyone handling credit card data should look at them.”

Sparkes says the issue businesses need to realise is that if you don’t need to store credit card data then don’t store it at all.

“After the transaction has been completed, don’t store that data if you can help it. Segment as much off the physical and virtual data that you can, so only minimal amounts of people have access to those systems,” he says.

“You also need to get tested by a third party to see if you are compliant to all of these standards.”

Others in the payments industry have warned that credit card data needs to be properly secured.

PayPal Australia managing director Frerk-Malte Feller said more education is needed in that area.

“The rise in consumer shopping online must not be taken lightly and security around payments is still a major concern for consumers,” he says.

“Operating an online store has wide-ranging benefits to Australian retailers both large and small – from reaching new customers both at home and overseas to decreasing operating costs.

“Whilst these benefits are great, making the move online should be well planned and security should sit at the heart of any online strategy.”