Hackers recently struck the website of cosmetics firm Lush, leaving shoppers’ credit card details exposed to cyber thieves. Since then, many Lush customers have reported that their cards have been used fraudulently. Emily Gorton, staff writer for Choose.net,looks at the lessons learnt from the debacle.
Cosmetic giant Lush’s very public – but belated – reaction to their online security breach has caused controversy and general bafflement across the commercial world.
Following the news that their site had been ‘a bit wobbly’ on Christmas Eve, technical specialists uncovered a massive infringement of their ecommerce website.
But unlike the usual custom for a company to keep its head well down when they’re at threat from hackers, Lush have made a concerted effort to publicise the news… but nearly a month after discovering the problem.
Although happening upon the breach in late December, only a few weeks ago did they finally break the news to their customers.
They are now warning all of those who used the site between the 4th of October 2010 and the 20th of January 2011 could be at risk of fraud as their credit card details have been compromised.
Lush has even shut down its site, aiming to create a whole new one which just deals in Paypal payments.
It has also composed the following personal message to any hacker who continues to try and break into the website:
‘To the hacker: If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.’
To add to this, they have been incredibly emotive about the crisis, claiming to be devastated by the attack. Ethics director Hilary Jones even told PC Pro, ‘it has been horrendous, the stress and turmoil and tears.’
Lush may have won a lot of respect for bravely sticking its neck out and being honest with its customers.
But the month of silence, within which many accounts could have been infiltrated, has considerably soured the nobility of the move.
Did they spend a month devising the very public announcement, or were they forced to break their silence by an angry customer?
Either way, Lush’s actions are highly suspect.
The reaction to site hackers, then, should be timely and, though few brands could pull off Lush’s highly emotive reaction so effectively, a personal reaction should always be preferred.
It also masks the fault of the business’ website, at least to some extent.
If credit card providers are smart, though, it’s they who’ll be taking notes from the Lush affair.
Providers who can take the lead on safety online, as it becomes clear that even sites with great PR can slip up rather spectacularly in this area, could win a huge number of loyal customers.
This is a guest post from Choose. The site covers rights issues, research and debate into the consumer credit card and more broadly personal finance markets.