The cosmetics company Lush Cosmetics was the target of a successful data breech discussed several days ago: The Real Business Impact of Being Hacked.
Unfortunately it's happened again... as predicted.
Lush operates many web portals around the world providing beauty supplies. After their last breech, I decided to find out a little more about the company out of genuine interest about the company (rather than the breech).
The first thing I noticed was that their lush.co.uk site was offline, but the rest of their sites were still operational.
A quick look at lush.com showed all the portals Lush operated around the world. Visiting these sites revealed that there were at least four variations of the Lush site across the 35+ sites.
Now, by "variations of the site", I mean using a completely different infrastructure! Some were using Joomla while others appeared to be custom.
This lead to another question: Were any of the other Lush sites using the same vulnerable backend as lush.co.uk?
I suspect we have that answer as another Lush breech occurred on their New Zealand and Australian sites resulting in the exposure of their customer database and related credit card numbers.
There are many, many questions to be asked. Why is their infrastructure as fragmented as it is? Why are they storing credit card numbers? Why are they "rebuilding their site" for lush.co.uk?
I think the real lesson here is that Lush is NOT a high-profile target, but they were still a target.
There is still a misconception that "I'm not important enough to hack"... Well, I think I disagree with that...
Regardless of the size and visibility of your organization, at some point you HAVE to take a step back and ask "does this make sense?"
Lee is the CEO of LVM Engineering, Inc., founder of INFOSEC School, and a US DoD IT security contractor. This article expresses the views of the author, and not necessarily his affiliate organizations or the United States government