Lush Suffers Another Predictable Compromise

Tuesday, February 15, 2011

Lee Mangold


The cosmetics company Lush Cosmetics was the target of a successful data breech discussed several days ago:  The Real Business Impact of Being Hacked.

Unfortunately it's happened again... as predicted.

Lush operates many web portals around the world providing beauty supplies. After their last breech, I decided to find out a little more about the company out of genuine interest about the company (rather than the breech).

The first thing I noticed was that their site was offline, but the rest of their sites were still operational.

A quick look at showed all the portals Lush operated around the world. Visiting these sites revealed that there were at least four variations of the Lush site across the 35+ sites.

Now, by "variations of the site", I mean using a completely different infrastructure! Some were using Joomla while others appeared to be custom.

This lead to another question: Were any of the other Lush sites using the same vulnerable backend as

I suspect we have that answer as  another Lush breech occurred on their New Zealand and Australian sites resulting in the exposure of their customer database and related credit card numbers.

There are many, many questions to be asked. Why is their infrastructure as fragmented as it is? Why are they storing credit card numbers? Why are they "rebuilding their site" for

I think the real lesson here is that Lush is NOT a high-profile target, but they were still a target.

There is still a misconception that "I'm not important enough to hack"... Well, I think I disagree with that...

Regardless of the size and visibility of your organization, at some point you HAVE to take a step back and ask "does this make sense?"

Lee is the CEO of LVM Engineering, Inc., founder of INFOSEC School, and a US DoD IT security contractor. This article expresses the views of the author, and not necessarily his affiliate organizations or the United States government

Possibly Related Articles:
Network Security Business breach Lush Cosmetics Website Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.