Cosmetics retailer Lush dealing with mystery cyber incident

Cosmetics retailer Lush confirms it’s investigating a cyber attack of an undisclosed nature, but key public-facing systems appear to be unaffected

Dorset-based cosmetics retailer Lush has fallen victim to a cyber security incident of a currently undisclosed nature, via a brief notice posted to its website on 11 January.

“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation,” the organisation confirmed. “The investigation is at an early stage, but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”

Because the precise nature of the incident remains undisclosed, Lush will face inevitable speculation that it has been affected by ransomware, but this is entirely unconfirmed.

At the time of writing, Lush’s retail website remains accessible over a public internet connection, which strongly suggests that many of its internal IT systems are unaffected.

Ransomware attacks frequently result in multiple systems being pulled offline – often by panicked IT admins – leading to website outages for customers, which is not currently the case.

Brian Boyd, head of technical delivery at i-confidential, said: “Details [of] this breach are still emerging, so it’s not clear what type of attack Lush is experiencing, but it sounds like the company is investigating the incident and working to contain its spread.

“Lush is a massive cosmetics company that operates globally, so the perpetrators have potentially gained access to a treasure trove of customer data, which they could use to extort the company or to execute targeted phishing scams,” he said. “Lush must inform impacted parties as a priority so they can take steps to protect their data. Customers must understand if and how their data has been impacted, because any compromised information could be used against them.”

Family firm

A family-run company throughout its history, Lush started life as a supplier of products to the Body Shop, but in the mid-1990s moved away from that relationship and pioneered a new and highly successful approach to retailing cosmetics. It sets out its stores with attractive and colourful displays reminiscent of a greengrocers, and places an emphasis on in-house, ethical production methods and environmental sustainability.

This approach has also been applied to its IT estate, with the organisation demonstrating a strong preference to doing things in-house, and heavily favouring open source services and ethical suppliers – its datacentre provider, for example, is powered by renewable energy.

In 2021, the organisation spoke to Computer Weekly about how it gave its authentication systems a thorough makeover after becoming alert to the need to enhance how it protected customer data, given its increasing levels of integration into third-party services that relied on multiple different standards.

This project ultimately saw it pair up with authentication specialist Auth0, which went on to be acquired by Okta in 2022.

At the time of writing, there is no suggestion that the current incident is in any way linked to subsequent compromises of Okta’s infrastructure – that embroiled several other identity and access management specialists. No such link should be inferred.

Learn more about cyber attacks and resilience

Read more on Data breach incident management and recovery

Data Center
Data Management