Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.
Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.