Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Cosmetic Retailer Lush Targeted By Hackers

Posted by timothy on from the people-are-bad dept.

Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"

109 comments

  1. Note to self: by Anonymous Coward · · Score: 0

    Don't feed the trolls.

  2. Color me nonplussed by akkornel · · Score: 1

    Well, you could, that is, if you were able to get your hands on any fine Lush products, but now you can't, so I guess I'm not nonplussed after all.

    How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

    1. Re:Color me nonplussed by daid303 · · Score: 1

      How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

      There are alternatives. For The Netherlands we have iDEAL: http://en.wikipedia.org/wiki/IDEAL

      It works very simple, you only authorize a single payment. They could scam you out of a single payment but that's it. I exclusively buy online at shops that support iDEAL. And that list is growing fast, Steam also supports iDEAL for half a year now, and Blizzard accepts it as payment method. The whole credit card setup is so stone-aged compared to this.

      Also note that I don't need to setup a different account or anything else. Because I have an account at one of the banks supporting iDEAL. It requires the same 2 factor authentication as I use for online banking. So it all feels familiar.

    2. Re:Color me nonplussed by dtml-try+MyNick · · Score: 1

      Agree, iDeal may not be the end all, be all, solution for online transactions but it's pretty solid, safe and simple.

      Currently I only do payments via iDeal or paypall only. My paypall accounts is empty most of the times. If I want to buy something via paypall I transfer the amount of money needed first and then make the transaction.

      --
      Life starts at the end of your comfort zone.
    3. Re:Color me nonplussed by cdrguru · · Score: 2

      Your credit card will be compromised. It is a fact of life.

      Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.

      Magnify the opportunity and reward 1000 times for a credit card database.

      I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking if some purchase was mine and when the answer is no it is removed from the bill and a new card is mailed out. Period. Nothing else.

      I don't undersand what all the fuss is about. Yes, you will get a new credit card number periodically. So?

    4. Re:Color me nonplussed by GameboyRMH · · Score: 1

      Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people.

      That's it? Hahaha, suckers!

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:Color me nonplussed by KingAlanI · · Score: 1

      PayPal has instant transfers out of attached bank accounts available at least in the US.
      Then you don't have the delay of waiting for the transfer to clear and add to your account balance, then paying with your balance.

      --
      I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
  3. Oh come on... by samcan · · Score: 3, Interesting

    It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

    1. Re:Oh come on... by Anonymous Coward · · Score: 1

      Such is not always the case. Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

    2. Re:Oh come on... by Haedrian · · Score: 1

      or whether the guy who designed the kit was formidable.

    3. Re:Oh come on... by rtfa-troll · · Score: 5, Insightful

      A "top notch" IT team will have

      • offline backups
      • the ability to restore quickly
      • the ability to expand capacity quickly
      • the ability to do almost immediate updates*
      • basic forensic ability to work out what's going on

      Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

      Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

      * at the cost of a short term outage;

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    4. Re:Oh come on... by Anonymous Coward · · Score: 0

      "It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

      No, it's whether Lush actually HAVE an IT team, or if they hired someone to build them a site and then neglected it.

    5. Re:Oh come on... by 1s44c · · Score: 1

      It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

      Exactly. I'll bet the lush IT team consists of a few guys who might be reasonably smart but they just can't cover the amount of work they are meant to be doing. Management interference and other distractions most likely mean they could not keep track of all the work they should be doing.

      Unless they took the Microsoft route that is. Then they most likely employed a bunch of MCSE's who don't really understand technology, spent a fortune on windows servers and another fortune on active directory servers, and still got cracked endlessly.

    6. Re:Oh come on... by Anonymous Coward · · Score: 1

      "It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

      No, it's whether they actually HAD an IT team, or whether they just paid for a website and expect it to run forever with their great management skills.

    7. Re:Oh come on... by Elentari · · Score: 2

      This is the forum post from their singular IT team member about the incident: http://img35.imageshack.us/img35/3715/lushpostuk.jpg

    8. Re:Oh come on... by Anonymous Coward · · Score: 0

      Back doors in the code base? This does seem to imply a former employee or contractor was involved.

    9. Re:Oh come on... by Nick+Ives · · Score: 2

      Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.

      --
      Nick
    10. Re:Oh come on... by Anonymous Coward · · Score: 0

      Maybe their admin password was 'password'

    11. Re:Oh come on... by jimicus · · Score: 2

      Lush isn't an IT firm, they're a cosmetics firm.

      I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.

    12. Re:Oh come on... by Anonymous Coward · · Score: 0

      It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

      Not every company has the means to higher the 99th percentile in computer talent, which means that they will be vulnerable to attack from the most skilled attackers. For some reason this jackass has decided to target this company, and they now have to deal with being pushed into the deep end of the black hat pool.

      That doesn't make their IT team any less competent in having decent availability and response time. Perhaps you're a super class-A computer guy, but I'd hazard to guess that there are people out there that could eat you for lunch, so don't get too high and mighty just because some other guy may not live up to your standards. We all do the best we can in this world, and sometimes it's enough and sometimes it's not. There's no shame in admitting there are people who are more skilled than you.

    13. Re:Oh come on... by rtfa-troll · · Score: 1

      dragging back in whatever lowest bidder contractor they used.

      We are discussing here a "top notch" IT team.

      a) they wouldn't have used a lowest bidder in the first place

      b) once they know the URL they would be able to use one of the Apache filtering modules or a feature of their load balancer to block that URL

      c) once they captured the URL that caused the break in they could just fix the code themselves; being top notch they won't be using anything they don't have the code to.

      Even a slightly less than top notch company will have a support contract and in the case of a less than immediate response will have a notice like "waiting for Oracle support to respond"; "up as soon as Microsoft can fix IIS" which is the kind of thing which tends to get these companies to do a very quick fix.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    14. Re:Oh come on... by rtfa-troll · · Score: 1

      I was going to say that; if they are making most of their business online then they are an IT company; they just haven't realised it yet. However, it seems like in fact they probably do most business over the phone and in shops so I will actually say that it's good that they stood up and admitted what happened. Hopefully they learned and next time they'll get someone competent to run their online store.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    15. Re:Oh come on... by Anonymous Coward · · Score: 0

      Your "URL" is not going to help you every time. There are a ton of other ways to compromise systems.

      Let me repeat: Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

      A top notch IT team can be prepared for rescuing from a mishap, but not to avoid it. If you believe you are completely secure, you are either misguided about security or plain stupid.

    16. Re:Oh come on... by rtfa-troll · · Score: 1

      I read that as SQL injection points or equivalent. I don't think he means deliberately placed back doors. He's clearly a bit of a novice on some aspects of the security.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    17. Re:Oh come on... by Ritchie70 · · Score: 1

      I doubt much is online sales. The noxious fumes from their heavily scented products make a trip to Macy's highly unpleasant if you wander into the wrong part of the store.

      --
      The preferred solution is to not have a problem.
    18. Re:Oh come on... by internewt · · Score: 3, Insightful

      Maybe their admin password was 'password'

      It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.

      http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk

      Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.

      But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.

      --
      Car analogies break down.
    19. Re:Oh come on... by drinkypoo · · Score: 4, Interesting

      Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

      My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    20. Re:Oh come on... by catmistake · · Score: 2

      2000 was the best version of Windows that MS ever made

      Still... it's a dubious honor.

      IMHO, Windows Servers have a purpose... to help administrate lots of Wndows Desktops with Active-Directory, and, of course, Exchange. When running Exchange, you need a couple or three compentant administrators, that do nothing else, who are constantly on top of things... because it doesn't run by itself.

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      BAD METAPHORE TIME: Hardcore Microsoft-loyalist Windows Admins saw the movie first, and insist it was better than the book. The rest of us actually appreciate literature.

      --
      The Admin and the Engineer
    21. Re:Oh come on... by jimicus · · Score: 1

      The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.

      There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configuration may block the issue that caused the original hack but it won't do anything for any of the other issues that may exist.

      Were I to hazard a guess (and from my own experience of corporate IT), I'd wager that Lush's IT department have been trying to get a project for some major website re-redevelopment approved for some time. It wouldn't surprise me if they knew full well the site was a disaster waiting to happen, but until that disaster does happen it can be very difficult to get such projects approved.

      I daresay that the project will be made top priority now.

    22. Re:Oh come on... by jimicus · · Score: 3, Insightful

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      ... perfectly correct, provided the server is administered competently.

      This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.

      And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.

      I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.

      The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.

    23. Re:Oh come on... by AndGodSed · · Score: 1

      A "top not" IT team will have a proper budget.

      Most of the things you mentioned cost money, and sadly most IT teams are the bastard children of management decisions as far as budget goes.

      It usually takes something like this before management decides to finally empower the IT team with some form of financial support for their IT needs.

      --

      Seven Days with Ubuntu Unity

    24. Re:Oh come on... by new500 · · Score: 1

      Upvote please the guy immediately above who knows a bit about Windows. It's hard, but do-able.

    25. Re:Oh come on... by Anonymous Coward · · Score: 0

      It's fine that competently administrating a Windows web server is difficult not in the way that math or 100mph fastballs are difficult, but more like how driving is difficult... I hope it works for those that choose it... but I'm looking for a web solution that is really a total pain in the ass just to be reasonably sure you know you'll never know for sure whether or not you'e been pwned... I mean one with an exceptional and surprising amount of security issues... like the rest of the iceberg amount of security unknowns, but at the same time rots twice as fast as Windows. I don't have 6 months to sit around and wait for rebooting the thing to cease being entirely effective at making things appear as though things are working fine, just a little slower. I need this thing to go down almost daily after the slightest abuse in less than 6 weeks of deployment. Windows is far too good for my web needs. What I need is something that hardly works at all... something... delicate.

    26. Re:Oh come on... by Rogerborg · · Score: 1

      No, really, the guy that beat me up was like seven feet tall. Also, there were three of him. All of them ninjas.

      --
      If you were blocking sigs, you wouldn't have to read this.
    27. Re:Oh come on... by jimicus · · Score: 1

      No chance, unfortunately, the /. view is very unlikely to agree.

      Thing is, most hacks these days have rather more to do with the application than the platform it's running on. When I said "you have no business running a public website which processes transactions...", I include a public website running Linux.

      I don't actually have any experience running Windows on a public server, and hence I wouldn't feel entirely confident I could do a decent job. But to claim it's impossible to do it properly is just ignorant. Frankly, I'd have been just as scathing of someone who was running RHEL 2.1, for much the same reasons.

    28. Re:Oh come on... by Kazymyr · · Score: 1

      Second that. Fortunately my wife gets all of her Lush stuff in brick-and-mortar stores, not online.

      --
      I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
    29. Re:Oh come on... by Anonymous Coward · · Score: 0

      What is does to your asthma is all very interesting but, if you're not interested in a deliciously fruity shopping experience, Lush turns areas of nearly every shopping centre in the UK into a chemical warzone.

      I don't care that it's not harmful. It's not somewhere I would voluntarily choose to walk.

    30. Re:Oh come on... by LingNoi · · Score: 1

      or if they hired someone to build them a site and then didn't pay them to maintain it.

      FTFY

    31. Re:Oh come on... by drinkypoo · · Score: 1

      I note that you post Anonymously, probably because you are a fucking toolbag shill.

      If you can actually provide some kind of evidence, ANY kind of evidence, that it's Lush products in isolation causing this to happen, AND that these products are smellier than the USUAL stuff which you find in those stores (even my local Grocery Outlet, a second-run grocery store that sells pullbacks, has a whole stinky section of brand-name perfume next to Checkstand #1) then I might consider that you are a real human with a right to speak to others.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    32. Re:Oh come on... by catmistake · · Score: 1

      HA! Forget it Don Quixote... unless you don't have a lot of money to blow and can bend those stability, performance and security requirements, Windows is just about as close as your ever gonna get.

      --
      The Admin and the Engineer
    33. Re:Oh come on... by Ritchie70 · · Score: 1

      noxious/näkSHs/ Adjective: Harmful, poisonous, or very unpleasant.

      I find Lush products to be noxious. My wife also finds their products to be noxious.

      Lush sells a heavily-scented product line. If you don't believe that I don't know what to say.

      It has some of the strongest, most intense scents I have ever encountered. I would rather stand down-wind from a hog farm than in an aisle full of Lush products.

      If your lady has you convinced it's more lightly scented than other products, your lady is fucking with you.

      It may be all natural, and you appear believe that the all-natural nature of it makes it acceptable to your medical condition.

      My mother has asthma and is highly bothered by any strong scents, to the point that she has sent students in her classes to the restroom to wash lotion off. I doubt Lush would be any better for her than kerosene fumes.

      When I walk near their part of the cosmetics department I find the overwhelming scents emanating from the Lush products makes it difficult to breathe and I hurry through what I find to be a highly unpleasant experience to the rest of the store.

      --
      The preferred solution is to not have a problem.
    34. Re:Oh come on... by Ritchie70 · · Score: 1

      God, do you work for Lush?

      Call Macy's. Ask for the Lush counter.

      Don't ask if it's natural, don't ask anything else. Just tell them that your mother likes things with a very mild scent, one of your workmates said Lush was good, and ask if it has a mild scent or if it's pretty strong.

      If you can't tell on your own then maybe you have some level of anosmia.

      Further..... we're arguing about cosmetics on Slashdot. What the fuck. Can we just stop now???

      Moderators, please. DON'T MOD EITHER OF US UP.

      --
      The preferred solution is to not have a problem.
    35. Re:Oh come on... by drinkypoo · · Score: 1

      God, do you work for Lush?

      No, but I wouldn't mind. I would not, however, work for one of the cosmetics products companies that is knowingly using toxics in their products.

      Sometimes I wonder if the dollar stores were created to kill off Mexicans. They're full of toxic shit (there's been recalls for notebooks with lead paint on the covers and such) and notably they have tons of Latin-colored (you know, bright clashy colors) plates and such which have lead warnings printed in them only in English when the people who buy that stuff overwhelmingly speak Spanish.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. My opposite experience by cappp · · Score: 5, Funny

    Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".

    1. Re:My opposite experience by kronosopher · · Score: 1, Funny

      "If you are reading this, our women would like to say that your talents are formidable. We would like to offer you a blowjob — were it not for the fact that your genitalia are clearly not compatible with ours or our customers."

    2. Re:My opposite experience by MichaelSmith · · Score: 3, Insightful

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      --
      http://michaelsmith.id.au
    3. Re:My opposite experience by Anonymous Coward · · Score: 2, Interesting

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.

      And they wonder why they were hacked.

    4. Re:My opposite experience by TheLink · · Score: 0

      If you're unlucky, you might be accused of hacking them.

      Sometimes it's a good idea to stay clear of crime scenes.

      --
  5. "We'd like to offer you a job..." by mangu · · Score: 2

    "...if your salary weren't way above what us cheapskates are willing to pay!"

    Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

    1. Re:"We'd like to offer you a job..." by 1s44c · · Score: 2

      "...if your salary weren't way above what us cheapskates are willing to pay!"

      Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

      No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.

  6. Netcraft says.... by Anonymous Coward · · Score: 0

    Lush was running IIS on Windows. Coincidence?

    1. Re:Netcraft says.... by HRH_H_Crab · · Score: 1

      IIS on Windows has an overwhelming share of the market when it comes to online commerce sites. It's only natural that hackers would...wait, what?

    2. Re:Netcraft says.... by Anonymous Coward · · Score: 0

      It's PHP Apache if you look.

    3. Re:Netcraft says.... by 1s44c · · Score: 1

      It's PHP Apache if you look.

      PHP. The free alternative to visual basic.

    4. Re:Netcraft says.... by BeanThere · · Score: 3, Informative

      Wrong, if you check their 'what's that site running' history you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.

    5. Re:Netcraft says.... by Nick+Ives · · Score: 2

      Yea, every computer on the internet is under constant attack. Like a lot of people, I've moved my SSH daemon to a non standard port out of annoyance with my secure log filling up with common username / password login attempts from botnets.

      If you're presenting a service to the world on a standard port, botnets will always be trying to robohack you.

      I'm not too sure of that Netcraft report though as Lush appear from their statements to have been with their current hosts since at least October last year, so they could've moved from Win2k more recently than three and a half years ago.

      --
      Nick
    6. Re:Netcraft says.... by jimicus · · Score: 1

      I note that they also switched hosting provider. Obviously they're not too keen on their previous provider.

    7. Re:Netcraft says.... by Anonymous Coward · · Score: 0

      Just out of interest, if you have a look at the 'longest uptime' page, there is a number of sites in there with Windows 2000/IIS5 listed..kinda worrying

  7. Every generation... by mwvdlee · · Score: 1

    Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed? If you're doing it for the fun of hacking, how much fun could it be to repeatedly hack a site that's obviously not very difficult to hack? Or is this just some juvinile delinquints trying to steal credit card details?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Every generation... by jonbryce · · Score: 3, Informative

      They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

    2. Re:Every generation... by coolmadsi · · Score: 2, Insightful

      Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?

      I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.

      My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-use the pots). As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

    3. Re:Every generation... by jimicus · · Score: 1

      As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

      That's the biggest advert they've got! You can smell one of their shops halfway down the street.

    4. Re:Every generation... by BLKMGK · · Score: 1

      Smells good to me. You can buy their soaps and your bathroom smells wonderful as well. I buy their stuff here in the States and like it actually. Is Lush Canada, Lush UK, and the Lush company here in the US all the same? I wonder what the other web sites are running... :-O

      --
      Build it, Drive it, Improve it! Hybridz.org
    5. Re:Every generation... by jimicus · · Score: 1

      Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.

    6. Re:Every generation... by BLKMGK · · Score: 1

      Okay, well that makes sense. Here in the US I don't see them selling so much make-up like others have described as they do mostly natural bath products. I also don't see them in the likes of Macey's as has been described here. At least not that I've noticed. They DO have their own shops however and I've visited them at several malls and at an airport of all things. I always have some of their soap here and while I don't use it all the time the stuff smells great. I've actually found that when women smell it on you they like it too so bonus!

      From the "diary" entry posted elsewhere they do really sound like they have a small IT operation. Like three guys and a hosting company which surprises me if they are big enough to have sites for multiple countries and at least 4 shops that I know of here. I guess I would expect them to be using more than just a couple of guys and apparently a Win2K web server at least. I guess if nothing this is working out to be free publicity for them :-)

      --
      Build it, Drive it, Improve it! Hybridz.org
    7. Re:Every generation... by jimicus · · Score: 1

      The Win2K web server was with an outside hosting company.

      I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").

      They do virtually no make-up, but they've always billed themselves as a cosmetic company - their UK products are mostly moisturisers, massage bars, bath and shower products. They have a sister company that does do make-up, though I'm not sure that's made it terribly far outside of Covent Garden. Possibly in other countries they put the make-up in the Lush stores.

      (My wife is a Lush fanatic and I have a hell of a memory).

  8. And so by Dunbal · · Score: 1

    Someone thought that slashdotting the site would help more...

    --
    Seven puppies were harmed during the making of this post.
    1. Re:And so by coolmadsi · · Score: 1

      Someone thought that slashdotting the site would help more...

      The site is mainly text with a couple of images. No adverts (I don't think). More likely to stand up to a large influx of visitors compared to a site that is half flashy adverts, due to transferring less data.

  9. Our morals and those of our customers? by Kaz+Kylheku · · Score: 1, Interesting

    How do they ascertain customer's morals? Just because someone buys something from you doesn't mean they have good morals!

    What if the culprits turn out to be customers assisted by an employee? :)

    1. Re:Our morals and those of our customers? by Anonymous Coward · · Score: 0

      Serves them right for misshipping my makeup which I use to solicit sex from men while dressed as a woman

    2. Re:Our morals and those of our customers? by Dracula · · Score: 1

      What if the culprit(s) turns out to be an employee?

    3. Re:Our morals and those of our customers? by Anonymous Coward · · Score: 1

      Consider that the customers are customers. That means that they pay money in return for products, as opposed to, say, stealing them. This might imply that the customers agree on "stealing is undesirable." Some might even extrapolate to "cracking servers is undesirable."

    4. Re:Our morals and those of our customers? by Anonymous Coward · · Score: 0

      It's easy: they're mostly paying customers who are honoring the usual deal between a customer and a proprietor (I'll give you this if you give me a certain amount of money), as opposed to "customers" that try to spoof their web site and/or scam their business and/or scam legitimate customers.

      I might be impressed by the skills of a shoplifter and their knowledge of store security, but I wouldn't be tempted to hire them either, especially if they are also pickpocketing other customer's credit cards.

      And if it's an employee helping them, well, at the least they should expect to be fired. And after that, prosecuted.

    5. Re:Our morals and those of our customers? by Anonymous Coward · · Score: 0

      Just because someone buys something from you doesn't mean they have good morals!

      If you can make your customers feel as if they do, then you don't have to worry about profits ever again.

      (Religion, cosmetics, what's the difference?)

  10. Glass half empty, or half full? by rts008 · · Score: 1

    Well, after their servers experience a Chernobyl style meltdown from slashdotting, the hackers can't even get close enough to sift through the ashes! :-)

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  11. Perhaps it's a grammatical thing by Anonymous Coward · · Score: 0

    I'm thinking the company was meaning to say morale, not moral.

  12. Lush is not a typical 'cosmetics' store by Squiff · · Score: 1

    They specialise in handmade soaps and seem to be in pretty much every high street in the UK- Example: http://maps.google.com/maps/place?cid=10383864969614968362&q=lush&hl=en&sll=51.494368,-0.154123&sspn=0.049163,0.154324&ie=UTF8&ll=51.518891,-0.2314&spn=0,0&z=13 You are more likely to get bath soap from them then eyeliner and you can smell the patchouli from one of their branches from quite a distance... Maybe their 'IT' team is in the same vein?

    1. Re:Lush is not a typical 'cosmetics' store by Billlagr · · Score: 1

      Australia too..I am greeted by the gently wafting smells every morning as I step out of the train station, on my way to work

  13. Smelly by ebcdic · · Score: 1

    The smell from their shops is so strong that it's actually unpleasant to stand at a nearby bus stop.

    1. Re:Smelly by Anonymous Coward · · Score: 0

      Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

    2. Re:Smelly by Threni · · Score: 1

      Exactly. If there were only some way of preventing the stores from opening and instead allowing customers to shop online...

      Having a page on eBay and Amazon is something a few companies are doing now. The sort of script-kiddies and spotty virgin bedroom boys who try and take sites down are too lame to be able to affect them, so you'd be safe.

    3. Re:Smelly by ettlz · · Score: 4, Funny

      Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

      Oh, it's only a phase. It normally ends once they go to university.

    4. Re:Smelly by Anonymous Coward · · Score: 0

      Hey! I resemble that remark!

  14. From lush.co.uk by Anonymous Coward · · Score: 0

    All customers potentially exposed to this breach were sent an e-mail on 20 January 2010.

    At least they gave prior warning!

  15. I always thought... by baloki · · Score: 1

    Doesn't PCI:DSS forbid the storage of full credit card numbers?

    1. Re:I always thought... by Anonymous Coward · · Score: 0

      i thought they could be stored - but not in a human readable format - i.e. must be encrypted. The CVV code must never be able to be recorded for later retrieval.

    2. Re:I always thought... by Anonymous Coward · · Score: 0

      No. Think about it. You need to get at least an Auth initially and then possibly a Charge later on despatch. Or - you do both on despatch. Or the bank's system is down and you need to submit later, (not wanting to lose the sale of course by refusing the transaction!). What about refunds to your card if you return items, cancel them pre/post despatch? Tokenisation helps, as does storing the card number decently encrypted.

      PCI compliance (for some value of compliant) is extremely expensive. Smaller companies perhaps cannot afford it and take a risk. Any company where management is by sales types rather than IT savvy ones are unlikely to understand the issues and risks. Sales websites are more about "pink tinsel" ( (TM) T B-L at his FIEE acceptance speech), and digital bling than security and integrity. MDG

    3. Re:I always thought... by jimicus · · Score: 2

      It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.

      Which would explain why they're only worried about customers who bought stuff in the last couple of months.

    4. Re:I always thought... by Anonymous Coward · · Score: 0

      Duh. The BANK deals with all of the credit card details, the seller never needs to see them, never needs them on their server, ever. They are sent directly from the webpage to the BANK who then process the sale, then send the code back to the server to say the money has gone through to the BANK.
      If you want to refund, you do so through THE BANK.

      In other words, Lush never needed to have anybody's credit card details anywhere on its servers - EVER.

      "Or the bank's system is down and you need to submit later, (not wanting to lose the sale of course by refusing the transaction!)."

      Huh? So how does the customer know if their order has gone through? You just 'accept' all orders when your bank's system is down? How often does that happen? How about never?

    5. Re:I always thought... by Anonymous Coward · · Score: 0

      OK - let's look at this carefully and slowly. Actually it's not the "BANK" that the seller sends details to - it'll be some outfit like commidea.com. Usually the transaction is split into an Auth (yes - there is money there at the moment to cover this sale) and a Charge when the goods are despatched. So ... pay attention now ... when you Charge you need to tie it up with the previous Auth. Can't do it on name/address as the purchaser may, quite legitimately have a number of cards - even from the same issuer. Tokens (as I mentioned earlier) are one way round this - but a Tokenised system costs lots more and many retailers aren't too keen. So you do actually need to have some way of keeping the card number (albeit - on a decent system - encrypted).
      Refunds/Chargebacks/Recharges are a nightmare - and once again you need to tie up the *original* purchasing card with the Refund. Lots of scope for fraud if you don't :-).
      There is another way - at the point of transaction you take the customer away from "your" website - and dump them into a customised screen from (eg) PayPal, which then does the necessary checking. After the Auth/Charge (depending on the set-up) the customer is returned to their "basket". The retailer doesn't get to need the card details - but again - they pay highly for the service from PayPal etc.

      As to orders being accepted when the system is down ? YES - that's the way it's done. There's all sorts of reasons the Auth doesn't get done immediately, and usually the customer is none the wiser. Time outs, network glitches at any one of a string of node points without going to the extremes of the recent Mastercard DDOS scenario.

      And just to worry you further; PCI DOESN'T properly apply until the Auth has been obtained. When you think about it it can't - you have to store the card number somewhere/somehow in order to pass it on to commidea or whoever. The shopping cart entry form doesn't have some magical power of information transference - bytes are stored, then moved at some later time - could be miliiseconds, could be days.
      MDG

    6. Re:I always thought... by Anonymous Coward · · Score: 0

      It happens all the time in brick & mortar operations.

      I work for a major retailer with an average check under $10.

      Our credit card system, if the sale is under a threshold, will just store the transaction to be approved later if connectivity out of the store (aka DSL) is down.

      Occasionally the store will build up thousands of dollars of stored transactions if the outage is long-term.

      This is fairly safe, because most transactions overall are approved, and certainly most low-dollar ones.

      Further, if I understand it right, once the system comes back online, there's an additional flag set when it goes up the processor, and they'll push the issuing bank a bit harder to give them money if it initially declines.

  16. Mobile Operators and Police don't help by Ian.Waring · · Score: 4, Informative

    My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.

    1. Re:Mobile Operators and Police don't help by cdrguru · · Score: 1, Insightful

      Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?

      You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.

      Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so it is no loss to them.

      So who loses here? Nobody. Victimless crime.

      The only problem is if the merchant doesn't have insurance. Too bad then. Should have gotten the insurance because it is going to happen to you eventually.

      Obviously here the credit card company isn't going to prosecute anyone.

      Oh, from a closer reading of your post it sounds like a DEBIT card was used, not a credit card. Well, the rules for those are different and banks are extremely reluctant to remove charges. Of course, they will charge back to the merchant anyway, just the same as a credit card. Except you might not ever get your money back from it and it just stays on your bill.

      Simple rule here: never, ever use a DEBIT card online. Ever. There are no systemwide rules for how those transactions are cancelled as there are for credit cards. Use a debit card and lose your money. Period.

    2. Re:Mobile Operators and Police don't help by Have+Brain+Will+Rent · · Score: 1

      Wow just yesterday my spouse got called by Amex because a (one single) charge appeared that fell outside her normal spending pattern and they suspended her card right away, told her she would not be charged the amount and told her a replacement card would be received within 5 business days.

      I used my business debit card for a sub $100 withdrawal, at an ATM in a branch of my bank, in a small town about 30 miles from where I normally do business. This set off some kind of alert and the fraud division called my number but I wasn't around to take the call so they cancelled the card - all within 2 hours of my using the card.

      Sounds like you may need a new bank?

      --
      The tyrant will always find a pretext for his tyranny - Aesop
    3. Re:Mobile Operators and Police don't help by Anonymous Coward · · Score: 0

      Disclaimer; I work for an online retailer.
       
       

      So who loses here? Nobody. Victimless crime.

      This is *exactly* the attitude that lets so much of this crime continue. Actually, I'll cut customers some slack, because most of them think that the "big bad" credit cards' issuing banks eat the cost, when as you say, the retailers actually do. (In fact, I'd guess that the banks are quite happy for that false impression to continue).

      But anyway, I don't count people being falsely branded as paedophiles, losing their jobs and being ostracised by their families as "victimless".

      That aside, do you honestly think the cost of this doesn't come out in the wash as increased prices for everyone? That "insurance" you describe that retailers should have- do you think it's paid for with magical pixie pennies?

      Yes, they should probably have insurance to cover payment fraud and theft in general anyway- but you can be sure it's going to cost *significantly* more than if the police and credit card companies both remotely cared about preventing such fraud.

      The credit card companies do *not* give a toss about fraud. We can cancel obviously fraudulent transactions, but we can't notify the customer directly that their card is being misused (we don't have access to their contact details, which probably makes sense, except that the CC company won't "pass on" or do anything about this anyway).

      The police here in the UK will do nothing to investigate blatantly fraud in such cases, even when we have a concrete address, etc.
       
      This isn't a case of accepting that there will always be problems with fraud- this is the fact that even when they *know* about such crimes and have a chance to stop them, both the police and the CC companies wash their hands of it and let it continue.

  17. Yum by WarwickRyan · · Score: 1

    Their coconut soaps fantastic.

    Goes great with a bit of icecream and and grated dark chocolate.

    1. Re:Yum by uglyduckling · · Score: 1

      I have this problem too - on initial inspection, and smell from a distance, I would far rather eat most of their products. Once you get close and smell the soap, the feeling goes away. I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

    2. Re:Yum by WarwickRyan · · Score: 1

      > I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

      Yeah, like speciality fudge or something.

      Don't think that the ingredients are that different, either. Replace the oil with butter, and add a bit of sugar :)

  18. Morals ... by Martin+S. · · Score: 1

    "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

    Are these the same moral that allow Lush to charge premium prices for what is essential home made soap.

    1. Re:Morals ... by poity · · Score: 2

      I don't get it, how is charging premium prices a breach of morals? Do they have a soap monopoly?

      --
      your thin skin doesn't make me a troll
    2. Re:Morals ... by Skidborg · · Score: 1

      Restaurants charge a premium for what is essentially homemade food after all... if people are willing to pay for the convenience, why not let them?

      --
      Supporter of the +1 Over Dramatic mod option. In memory of apk.
    3. Re:Morals ... by coolmadsi · · Score: 1

      "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

      Are these the same moral that allow Lush to charge premium prices for what is essential home made soap.

      I think its mostly hand made. Surprisingly human workers cost more than machines.

      Besides, most things of a 'premium' brand will have a large mark-up. I've heard that for trainers (sneakers? Is that the American term?) they don't get much better in quality past the £50 point, but companies still have ones that cost over twice that because if they didn't someone else would sell them for that much, and people would buy them (percieved high quality from spending more)

  19. Lush Should Sell on Amazon Instead by CodeBuster · · Score: 1

    This example demonstrates precisely what can happen when a company which does not specialize in IT and the rigors of running a high traffic online storefront attempts to build same with an in-house crew or a band of hired consultants. Lush would have been much better off creating a storefront on Amazon and selling their products there. The readers of Slashdot will recall that Amazon threw off attempted DDOS attacks by Anonymous during the WikiLeaks affair without even breaking a sweat. My advice to Lush: go with Amazon and use their web services to connect your inventory control system to their storefront. If you had gone with Amazon, instead of trying to roll your own bubble gum and bailing wire solution. then you would be faced with the happy problem of how to restock your inventory instead of explaining to ex-customers how they can get in touch with their bankers in order to limit the damage.

  20. Missed the point by Anonymous Coward · · Score: 0

    We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers
     
    Wow, this really shows that they missed the point, these people are obviously not interested in jobs since their current pursuit offers them more enjoyment/reward.

  21. Own up already by Suffering+Bastard · · Score: 1

    It actually bothers me that they blame "oh noes teh hax0rz!!1!". As if there are all these evil hacker minions out there using their villainous technology to break in to sensitive systems. It's classic deflection of responsibility by generating fear of faceless bad guys.

    Windows 2000/IIS? Storing cc numbers as plain text in your online database? If you're gonna lay down next to fire ants, don't cover yourself in honey.

    --
    "Molest me not with this pocket calculator stuff."
    - Deep Thought
  22. Uhh.. Communication Error... by Anonymous Coward · · Score: 0

    Might want to clarify the issue here. It is only the UK site affected. Lush.com has a message saying the North American online store is open and secure.

    So, anyone in the USA who uses Lush can still shop securely.