The Australian and New Zealand shopping site of popular cosmetics group Lush has been hacked only weeks after a similar breach occurred on the company’s UK site. Thousands of online shoppers who recently purchased items from Lush have been warned to contact their banks.
The retailer has taken down its website this morning and instead posted a statement warning that customers’ personal details, including credit card numbers, may have been compromised.
‘‘We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable,’’ the company’s website says.
The attack follows a breach of the Lush UK website in which criminals stole credit cards between 4 October last year and 20 January 2011 and used them for fraudulent purchases. The overseas website is still offline after nearly a month. It plans to post a revamped site.
Lush said the UK and local websites are not linked, but did not confirm if the two use the same hosting software, which could expose both to the same vulnerabilities.
‘‘As a precautionary matter we have removed access to our website while we carry out further security checks,’’ the statement says.
‘‘Lush is working with the police, forensic investigators and banks and doing all that we can to investigate the breach in privacy.
‘‘We are currently in the process of contacting each of our online customers individually by email.’’The security breach has not affected customers who used the mail order phone line, the statement says.
‘‘Again, we would like to say that we are truly sorry and thank all our customers for standing shoulder to shoulder with us during this difficult time,’’ says Lush in its website.