Share this article on:
British cosmetics firm Lush has confirmed that it has suffered a cyber incident and has launched an investigation.
The company, which prides itself on its values and ethical business practices that minimise environmental impact, has manufacturing facilities in Australia, Europe, and Japan and operates in 49 countries, including the US.
Lush has so far remained quiet on the incident, only issuing a brief statement to say it was aware of the incident and is working with cyber experts for its investigation.
“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation,” the company wrote in a statement on its website.
“The investigation is at an early stage, but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”
While it is unclear the extent of the impact the breach has had, being a British company, Lush is required to inform the UK Information Commissioner’s Office (ICO), just as Australian organisations are required to notify the Office of the Australian Information Commissioner (OAIC).
The nature of the cyber incident is currently unknown, and an investigation by Cyber Daily through threat feeds has shown no evidence of a threat actor or ransomware group claiming responsibility.
One user of the r/LushCosmetics subreddit on Reddit, who has since deleted what they called a throwaway account, has written a brief statement explaining why it is likely that many users have not received a response to customer service requests.
“If you have not had a response from customer service, it is probably because every member of staff have been asked not to use their laptops and they need to be returned to head office for cleaning,” the user wrote, adding that the issue is not being openly discussed at the company.
“It has not been openly talked about hence a throwaway account. Please do not blame the staff, it is not their fault. No word if customer data is affected.”
Another user on the same feed responded to questioning, saying that the incident affected the brand’s UK base, adding: “We’ve had no work to do all week because of it.”
Responding to a question asking if the hack puts customer information at risk, the same user, who goes by AmaraFiler on Reddit, wrote: “I really wouldn’t like to say either way, I just work packing online orders. All they’ve told us is there are connection issues. I would like to hope your info is safe.”
They also wrote that they are dispatching orders but are unsure if there are any delays, “or if things have just slowed down”.
It is worth noting that the validity of the sources on Reddit is not necessarily reliable and that the information sourced from the platform should be taken with a grain of salt.
This is not the first time Lush has suffered a cyber incident. Back in 2011, the company revealed that customers who had ordered products between October 2010 and January 2011 may have had their card details stolen. This left thousands of customers potentially at risk, who then only found out in January 2011.