The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
I ordered the Mrs. some smelly bath things for Christmas from a site called Lush.co.uk .About half an hour ago I received an email from them informing me that their site has been 'hacked' and any customers who have shopped online with them between 4th Oct and 20th January should contact their banks 'for advice'.I did this just to cover myself and my credit card company informed me that they must cancel my card with immediate effect? Don't know if this is them just being overly cautious or whether these people have indeed successfully gathered the card details of customers who used this site during the mentioned period? Unless other sites have been effected I doubt this will be of relevance to anyone on here but just thought I'd mention it.
(I say this as I ended up buying enough solid shampoo to see me through university and possibly through life...all for less than a tenner...happy days!)
But I can see them deserving a sharp rap on the knuckles for allowing this to happen though!
Garin wrote....
Bit defensive there, Warhunt. ;)
Really? It wasn't meant to come out that way.
Looking further into the hack and what has happened, Noa Bar Yosef, Imperva’s Senior Security Strategist, observes:
1. It seems that Lush online application is riddled with vulnerabilities. They even comment on continuing to be a target and so they’re taking the website down. So it’s not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.
2. The hacks occurred throughout a 4-month timeframe. Yet, they know the exact dates of start-finish of the hack, which means that they did have some sort of audit during the attack. Yet, there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behavior.
3. In regards to the audit – Lush mentions that they are informing all “potentially affected” customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.
4. The attack clearly shows that Lush was in breach of PCI DSS compliance.
5. Look at the “We Believe” statements. There’s no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a “We Believe” on making the website more secure for their customers.
There you go....what you make of that Garin ;¬)
In relation to my post at least, I was replying to Chris, suggesting they do seem to be taking it seriously now. Whether they took too long to do so or not I'm not commenting on, just the post does seem serious at this point. And apologetic.
Perhaps they should have taken it seriously earlier? Although you don't really know the inside scoop. Maybe it was an inside jobby after all, and that's why it took so long to notice/deal with? Seems a reasonable conspiracy theory :P
Hmmm... wrote:
I can't see anyone talking about the 3rd party they use for "secure server for processing credit card transactions" - rather odd.
I suspect the phrasing is a bit of a red herring. They might use a 3rd party for credit card transactions, it doesnt mean they are using it on the front end though. I bet Lush take the CC details and then use the 3rd party when processing the order. So probably nothing to do with the CC processor. It might explain the 3 month (ish) time period as well because when you take CC details you can only keep them for a limited period.
Seriously though, how was this allowed to happen ? Credit card details were not supposed to be stored by the site but they quite clearly were. Lush had no other option but to come clean about it at some point but this security breach had apparently been going on for 3 months!. How did the problem go undetected for so long?, or were they aware of the breach but thought they could plug it? Like I said it's not the end of the world but it is annoying and inconvenient for those effected. Lush are a well known and supposedly reputable company and I would imagine that there may well be other online retailers who have been trading in this way?. If that is the case then could there be other sites that have been compromised in a similar fashion?
Something looks a bit strange to me though...
This has been going on for quite a long time. Further reading shows they might have knew about problems in December but let things run.
I can't see anyone talking about the 3rd party they use for "secure server for processing credit card transactions" - rather odd.
So perhaps it's either an inside job or things weren't setup very well?
They didn't have any choice than to take the site down as they are no doubt in danger of losing their Merchant Account depending on what was going on...
[s]Hmmm...[/s]