When Lush announced their website, www.lush.co.uk had been successfully hacked last week (21 Jan 11), leading to thousands of their customer’s credit card details being stolen, I was genuinely surprised. I wasn’t surprised that yet another UK online business had completely shirked their responsibilities, in not properly protecting their customer’s information by neglecting one of the most basic of web application security vulnerabilities, and their compliance to the Payment Card Industry Data Security Standard (PCI DSS). What surprised me was unlike the other 99 in 100 UK companies that get successfully breached with such attacks, Lush decided to tell the world about their negligence. Yes Lush in my view were most certainly negligent, as the SQL web application vulnerability which is very likely to have led to the theft of their customer card details, is a vulnerability which has been around for over a decade. Negligent as if Lush they were PCI DSS compliant as they are required to be in accepting payments online, or even made a decent effort to become PCI DSS compliant, then such a simple web application vulnerability flaw would of been almost certainly weeded out.
Many within the payment card industry would consider Lush has been naive in announcing their breach publically, as they really don't have to, even Visa and MasterCard dislike the bad publicity public disclosure of payment card breaches brings to their brands. This is precisely why the vast majority of credit card breaches in the UK are not publically known about, typically only the ones in the public sector makes news, perhaps Lush had been misadvised I actually applaud such public announcements, as I strongly believe publicizing such breaches is the best way to raise awareness and to ensure others can be educated from the mistakes, as these mistakes are being repeated over and over.
Perhaps Lush won’t be so cheery when they assess how much this breach will cost their business. Aside from the loss of customer trust, they will be facing fines which will include the cost of replacing their customer’s stolen credit cards, forensic investigations and an independent level PCI DSS level 1 assessment. In the meantime Lush will be outsourcing all of their online payments to PayPal, which will make credit card payments online with Lush safe, assuming you are willing to take your business to them.
In e commerce sites where credit card integrity is at stake, we need the newest technology in security and compliance.
ReplyDeleteseo reseller
Excellent article, I’ve never seen this info in concise form with an explanation before. Great work! I appreciate it.
ReplyDeleteForeign Investment Review Board
It didn't came into my knowing about how the website could potentially harm into data breach. thanks for sharing!
ReplyDeleteThanks for sharing this. It is immensely helpful and informative.
ReplyDeleteIts not the case that reader must be completely agreed with author's views about article. So this is what happened with me, anyways its a good effort, I appreciate it. Thanks
ReplyDeletethis page is exactly what I was searching for! found your article bookmarked by a friend of mine. I will also bookmark it. thanks!
ReplyDeleteThank you for the excellent content I did experienced studying it, I want to motivate that you proceed your excellent job, have a excellent day.
ReplyDeleteThat is really fascinating, You are a very professional blogger. I've joined your rss feed and sit up for in quest of extra of your fantastic post. Also, I have shared your site in my social networks
ReplyDelete