Lush urges shoppers to cancel cards after hack

Photo / Thinkstock

Cosmetics company Lush is warning New Zealand customers to consider cancelling their credit cards after its website was hacked.

It follows a recent attack on Lush's operations in Britain, where customers criticised the company for not taking action until three months after it found out its site had been compromised.

Managing director Mark Lincoln said from Australia that the company's webhost notified Lush at 10.30am on Monday that "unusual unauthorised access" had occurred and data had been downloaded.

A company statement said "personal details" may have been stolen.

Lush shut down its website at 11.30pm that day.

The company does not yet know how many customers have been affected or if cash has been taken from customers' credit card accounts.

Lush is working with forensic investigators and New South Wales police, who are likely to contact their counterparts in New Zealand.

Lush is also emailing its customers and urging them to act quickly.

"We urgently advise our customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable," Mr Lincoln said.

Asked why it took more than 12 hours to shut down the website, Mr Lincoln said it had taken time to establish the extent of the problem.

It was possible that money had been stolen between Lush finding out about the breach and shutting down its website, Mr Lincoln said.

"Obviously it's a concern and we're very concerned about the effect on our customers but we would reiterate, we moved as quickly as we possibly could."

In New Zealand, customers buy $200,000 worth of Lush products online each year. In-store eftpos transactions across 12 stores have not been affected, nor have phone orders.

Mr Lincoln said the company had been in the process of tightening its security and changing the way customers make online purchases.

Those steps were in reaction to news that the British site was repeatedly hacked into between October last year and January 20 this year.

It could take up to eight weeks before the local website is live again as security checks need to be completed.