Dorset-based cosmetics retailer Lush has fallen victim to a cyber security incident of a currently undisclosed nature, via a brief notice posted to its website on 11 January.
“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation,” the organisation confirmed. “The investigation is at an early stage, but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”
Because the precise nature of the incident remains undisclosed, Lush will face inevitable speculation that it has been affected by ransomware, but this is entirely unconfirmed.
At the time of writing, Lush’s retail website remains accessible over a public internet connection, which strongly suggests that many of its internal IT systems are unaffected.
Ransomware attacks frequently result in multiple systems being pulled offline – often by panicked IT admins – leading to website outages for customers, which is not currently the case.
Brian Boyd, head of technical delivery at i-confidential, said: “Details [of] this breach are still emerging, so it’s not clear what type of attack Lush is experiencing, but it sounds like the company is investigating the incident and working to contain its spread.
“Lush is a massive cosmetics company that operates globally, so the perpetrators have potentially gained access to a treasure trove of customer data, which they could use to extort the company or to execute targeted phishing scams,” he said. “Lush must inform impacted parties as a priority so they can take steps to protect their data. Customers must understand if and how their data has been impacted, because any compromised information could be used against them.”
A family-run company throughout its history, Lush started life as a supplier of products to the Body Shop, but in the mid-1990s moved away from that relationship and pioneered a new and highly successful approach to retailing cosmetics. It sets out its stores with attractive and colourful displays reminiscent of a greengrocers, and places an emphasis on in-house, ethical production methods and environmental sustainability.
This approach has also been applied to its IT estate, with the organisation demonstrating a strong preference to doing things in-house, and heavily favouring open source services and ethical suppliers – its datacentre provider, for example, is powered by renewable energy.
In 2021, the organisation spoke to Computer Weekly about how it gave its authentication systems a thorough makeover after becoming alert to the need to enhance how it protected customer data, given its increasing levels of integration into third-party services that relied on multiple different standards.
This project ultimately saw it pair up with authentication specialist Auth0, which went on to be acquired by Okta in 2022.
At the time of writing, there is no suggestion that the current incident is in any way linked to subsequent compromises of Okta’s infrastructure – that embroiled several other identity and access management specialists. No such link should be inferred.
Business leaders will need to take steps over the next decade to prepare for U.S., China relations largely defined by competition…
Forrester Consulting-Capital One study points to organizational silos, disconnect between line-of-business and data managers, and…
Many organizations recognize the importance of edge computing. Discover the latest insights on spending, device capabilities and …
After VMware confirmed that CVE-2023-34048 had been exploited, Mandiant attributed the activity to a China-nexus threat group and…
In its guide, CISA urged water and wastewater sector utility operators to harden their security posture, increase information …
During 2023, Chainalysis tracked a decrease in the total value and volume of illicit cryptocurrency transactions. But it is …
HPE’s planned $14 billion acquisition of Juniper Networks stands to add to its power in the market, and can have long-term …
Trivial File Transfer Protocol is one of the oldest and simplest TCP/IP file exchange protocols. Here are use cases and best …
Equinix markets its Fabric Cloud Router as a monthly subscription service that organizations can access and configure quickly. It…
Data centers use large amounts of water to maintain equipment. This consumption is causing water pollution and scarcity. …
Today’s server platforms offer a host of options for SMBs and enterprise IT buyers; it’s important to learn the essentials before…
Companies are quickly adopting generative AI, and with this, the focus has shifted toward hybrid cloud environments, which spans …
The partnership aims to address the difficulty of efficiently and inexpensively deploying and managing data models developed in …
The vendor’s new tool is designed to help customers control their cloud computing costs while developing and maintaining …
The data lakehouse vendor’s latest industry-specific set of tools is aimed at telecommunications providers that features a GenAI …
All Rights Reserved, Copyright 2000 – 2024, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
