Lush site hack puts customers in danger of fraudsters

Cosmetics retailer Lush has told its customers that their card details could be in the hands of fraudsters after revealing that its online store has been attacked by hackers.

The Dorset firm has suspended online sales and put a message on its website warning anyone who has placed an order between 4 Oct 2010 and 20 Jan 2011 to contact their banks for advice as "their card details may have been compromised".

The company said: "Our website has been the victim of hackers.

"24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website."

Lush said it was working with police to find the perpetrator and will launch a temporary site "in a few days" accepting Paypal payments only.

Paul Smith, who specialises in crisis management at Manchester's Citypress PR, told The Drum: "[Lush] will have their fingers crossed that their customers' card details haven't actually been stolen, or this will become a far bigger issue.

"In times of crisis management it is important to act quickly and thoughtfully, to sort the problem as soon as possible. With these hacks dating back to October there is likely to be massive fallout in the coming days about why they didn't reassure customers sooner."

On its website, Lush posted a message to the hacker calling them "formidable" and a video of dancing lemmings to "try to share a smile" with customers.

Smith said: "They've made it a little bit quirky, which is a bit misguided when people are concerned about their security, especially those who may have bought something online for the first time over Christmas.

"If they have decent crisis management help they will be round a table talking to their web guys and planning how to handle the worst case scenario, finding answers to all the questions they will be asked.

"This will quickly become a bandwagon with a swell of opinion on social sites and blogs. Journalists will talk to their customers. They need a strategy about what to say that will seem reassuring.

"Many brands sign up to social media because they feel it is something they should do. But they need to be prepared to engage with customers even in the bad times."

Smith said the attacks were not likely to do lasting damage to the brand unless it emerges that lots of customers have had their card details stolen.

"When customers find out their details are safe they will settle down, but for the next couple of days a lot of them are likely to be voicing their gripes online. If that happens [Lush] need to be prepared to talk to those people offline and out of public view.

"It's going to be tricky for them to launch a new site, so they need to reassure customers by being seen to be doing all they can, like stepping up security tests."

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.