Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Major cosmetics retailer suffers cyber incident

British cosmetics firm Lush has confirmed that it has suffered a cyber incident and has launched an investigation.

user icon Daniel Croft
Mon, 15 Jan 2024
Major cosmetics retailer suffers cyber incident
expand image

The company, which prides itself on its values and ethical business practices that minimise environmental impact, has manufacturing facilities in Australia, Europe, and Japan and operates in 49 countries, including the US.

Lush has so far remained quiet on the incident, only issuing a brief statement to say it was aware of the incident and is working with cyber experts for its investigation.

“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation,” the company wrote in a statement on its website.

============
============

“The investigation is at an early stage, but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”

While it is unclear the extent of the impact the breach has had, being a British company, Lush is required to inform the UK Information Commissioner’s Office (ICO), just as Australian organisations are required to notify the Office of the Australian Information Commissioner (OAIC).

The nature of the cyber incident is currently unknown, and an investigation by Cyber Daily through threat feeds has shown no evidence of a threat actor or ransomware group claiming responsibility.

One user of the r/LushCosmetics subreddit on Reddit, who has since deleted what they called a throwaway account, has written a brief statement explaining why it is likely that many users have not received a response to customer service requests.

“If you have not had a response from customer service, it is probably because every member of staff have been asked not to use their laptops and they need to be returned to head office for cleaning,” the user wrote, adding that the issue is not being openly discussed at the company.

“It has not been openly talked about hence a throwaway account. Please do not blame the staff, it is not their fault. No word if customer data is affected.”

Another user on the same feed responded to questioning, saying that the incident affected the brand’s UK base, adding: “We’ve had no work to do all week because of it.”

Responding to a question asking if the hack puts customer information at risk, the same user, who goes by AmaraFiler on Reddit, wrote: “I really wouldn’t like to say either way, I just work packing online orders. All they’ve told us is there are connection issues. I would like to hope your info is safe.”

They also wrote that they are dispatching orders but are unsure if there are any delays, “or if things have just slowed down”.

It is worth noting that the validity of the sources on Reddit is not necessarily reliable and that the information sourced from the platform should be taken with a grain of salt.

This is not the first time Lush has suffered a cyber incident. Back in 2011, the company revealed that customers who had ordered products between October 2010 and January 2011 may have had their card details stolen. This left thousands of customers potentially at risk, who then only found out in January 2011.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.