Edge says it became aware of hacker attacks in late December. Photo: guardianHandmade cosmetics group at the edge has admitted, was its website hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of their card information stolen. But only, the company informed customers last night.
At the edge has taken down its website and replaced it with a statement: "We would like to all customers who place online orders with us between 4 Oct 2010 and 20 Jan 2011 to contact their banks for advice, which can be compromised their card information."
The company beauty warned: "24-hour security surveillance has shown us that we are still being targeted and who continue to try to retype".
Customers will be able to make purchases, until a new site is launched "in a few days" accept only PayPal payments, but orders are still being taken through its mail order telephone service, as cosmetics group said had been unaffected by the "crisis". Customers who paid by card in lush stores are also unaffected.
Rik Ferguson, a consultant at security firm Trend Micro, said he knew person had used the site for an order and subsequent seen fraudulent orders of £ 1,700 made against. "Risk of these card numbers being used is already moved from the theoretical to reality," he said.
The fact that the edge is warning customers to contact their banks can specify it has failed to encrypt the details held on its site – which if true, could mean it has failed to comply with the regulations known as PCI compliance, which regulate the storage of card details by websites in Europe.
On the other hand, could in the worst case scenario, see the edge deprived of its ability to accept credit card payments online. Site to lush said, it would launch a separate site "in a couple of days", which would accept PayPal payments only. PayPal transactions do not require PCI compliance. The company did not respond to a request to explain whether it had adapted PCI standards, before this story was published.
At the edge of the posted a video of lemmings in parallel with his dance Declaration to "try to share a smile" and added a funny message for hackers: "If you read this, our Web team would like to say that your talents are formidable. We would like to offer you a job – was not it, that morality is not clear is compatible with our or our customers ".
Graham Cluley, senior technology consultant at your computer and web security company Sophos and a respected blogger on the subject, said: "If there was a customer of the edge's website would I feel like smiling this morning. It would certainly be interesting to hear, when at the edge of the first discovered that they had suffered from a breach of security. It was at the same time as the posted message on the front page of their website, or have the known in a longer piece? "
Many customers also wonder why it took so long at the edge of time to inform customers, if the site was first hacked in October, especially as its declaration specifies it has 24-hour web security.
One record on Twitter read: "so that the edge of the known they were hacked since Christmas and you have just decided to share info? Disappointed, really am ". Another Tweet said: "I don't care if lush products eco friendly or not. I care if they keep my banking information safe ". Another claimed: "I still have my emails from lush dates back to 2007, where they admit to have serious bugs and ' Gremlins ' with their website".
Patrick Taylor, a lush customer from Blackpool, told the guardian: "at the edge of the makes nice stuff and seem to be a cool company, but as soon as you have noticed the hack should have close website and communicated to customers. Thousands of us would have been affected by this. My girlfriend now had to check his credit card information. "
Victims also posting messages on the page lush Facebook. A wrote: "we have had our cards compromised, and used in fraudulent transactions only three days ago. It is now been canceled and we have no way to get access to our money.
There was also speculation to, how long at the edge of the holding had client's financial data in an unsafe environment. One lush victim said: "we used Lushs site back in late Nov. they must have holding our details unencrypted since then."
At the edge of the said in a statement: "we were aware in late December that www.lush.co.uk had been subject to attack by malicious users. Our customers ' safety is of utmost importance to us and as soon as we realized this was the case, we immediately took down our UK website and a thorough investigation, followed and extra security measures in place.
"24-hour monitoring has shown that another attempt to hack our UK Web site is done, and again, we have taken down our UK homepage as a precautionary measure.
"We are horrified that this has happened, understand we need interested, and we value our customers continue to support, while we resolve the matter. We will continue to work with our credit card acquirer to undertake a complete review of this hacking attempt. "
The edge was previously praised by green campaigners for do not use animal fats in its products, as well as its position on animal testing — it performs tests with human volunteers instead. The Group has also sold products, disclose full purchase price for charitable organisations and promoting various charities on its product packaging.
Loyal customers defend company and praise it for the way its declaration was written. A Twitter user wrote: "I like the way at the edge of the handling of hackers, who closes its online marketing". Another wrote: "some terrible people have hacked lush home page … they need to get a life and leave the lovely peeps on the edge of the alone".
Cluley said at the edge of the appeared to adopt a "social media response" to the security breach. "Although news for customers is very worrying, they are trying to present the news in a warm and cosy way," he said. "I wonder, however, is how well customers will take the news that their credit card details might have injured – and can not appreciate the Lushs attempt to smooth the waters."
He added that it would have been more useful if the edge had linked to information that shows people how to tell if your credit card be misused and next steps affected customers should take. Lush customers are advised, instead just the company to contact their bank or credit card provider for advice.
No comments:
Post a Comment