Lush says site wasn't PCI-compliant
Lush cosmetics has admitted that its website was in breach of security standards and that its database was "old" when it was cracked, exposing an unknown number of credit cards to thieves.
(Space profile image by Motorpsykhos, CC2.0)
The company said that it didn't comply to the Payment Card Industry Data Security Standard (PCI DSS), which is the minimum IT security requirements set by credit issuers Visa, MasterCard and American Express. These companies mandate that businesses must protect credit card information if they wish to process the transactions. Non-compliance carries hefty fines and the potential for credit issuers to revoke a company's credit processing ability.
Lush Australasia director Mark Lincoln said the company had been in the process of deleting stored customer credit information when the breach occurred.
"The code that the website was written in was a very old version and it hadn't been updated, so it was a legacy from that code," Lincoln told ABC radio Melbourne.
"So we had become aware that was an issue, and we were in the process of making changes to the code."
Lush said it is moving to a PCI DSS-compliant website.
The company has recruited forensic company Vectra to conduct a post-mortem assessment of the crack and determine the vulnerabilities of the site.
"We are currently conducting a forensic investigation of the breach and will have a detailed report later," the company said. "We aren't able to comment further."
The Australian website hosting provider of Lush cosmetics, Brennan IT, has washed its hands of the attack. It said the breach was conducted on systems administered by Lush but did not elaborate on details.
"It's a Lush internal issue. Everything we managed was fine," Brennan IT managing director Dave Stevens said. "We are monitoring the site."
He said that the hack triggered intrusion detection systems and that Brennan IT was alerted "within minutes".
The attack came on the heels of a similar breach of the Lush UK website in which credit cards were stolen; however, Lush said its international websites operate independent code and software.