Lush Credit Card Data Breach

Before I go into my thoughts on the recent Lush website credit card data breach, I have some important advice to all Lush online customers. If you have bought anything from the www.lush.co.uk website between October 2010 and January 2011, and even if you think your credit or debit card hasn’t been fraudulently used, you must consider your credit or debit card to be compromised, so cancel your card and have it replaced. Also note this breach does not affect anyone who used credit or debit cards over the counter at Lush shops, as it’s an entirely different payment system.

When Lush announced their website, www.lush.co.uk had been successfully hacked last week (21 Jan 11), leading to thousands of their customer’s credit card details being stolen, I was genuinely surprised. I wasn’t surprised that yet another UK online business had completely shirked their responsibilities, in not properly protecting their customer’s information by neglecting one of the most basic of web application security vulnerabilities, and their compliance to the Payment Card Industry Data Security Standard (PCI DSS). What surprised me was unlike the other 99 in 100 UK companies that get successfully breached with such attacks, Lush decided to tell the world about their negligence. Yes Lush in my view were most certainly negligent, as the SQL web application vulnerability which is very likely to have led to the theft of their customer card details, is a vulnerability which has been around for over a decade. Negligent as if Lush they were PCI DSS compliant as they are required to be in accepting payments online, or even made a decent effort to become PCI DSS compliant, then such a simple web application vulnerability flaw would of been almost certainly weeded out.

Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.

However Lush’s breach announcement leaves me with a real bad bath bomb taste in my mouth, not because their language is so cheery, which would personally really annoy me if they were responsible for compromising my credit card, causing needles stress and inconvenience, and possibly even financial loss. It wasn’t that, but it was their direct message to the hacker responsible which they posted on their website, this message was nothing less than a pat on the back to the criminal responsible for the data theft. It certainly doesn’t take a formidable hacker to take advantage of weak web application security, in fact any semi-IT iterate school boy is capable. For me the blame lies a lot more with Lush than their hacker. For instance if I left my car keys in my unlocked car on a public street and my car got stolen, my insurance company wouldn’t pay out a penny, while the police would almost certainly point the finger of blame on myself. Same thing here, if you don’t securely code your web application (website) and do not follow the PCI DSS requirements, yes PCI DSS is mandatory for any business accepting card payments, then just like the car with the car keys left in the ignition, it is pretty clear where the fault and blame lies.

Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.