Cosmetics firm Lush shuts Web site after hack attack

Since this kind of thing seems to be happening rather regularly, LUSH shouldn't be held singularly at fault. At the same time, e-tailers can't afford to get blase about this issue. Due to no fault of its customers - other than to place their trust on LUSH to keep their financial information safe - LUSH is putting its customers to a lot of trouble by asking customers to contact their banks for advice.

Even as the customers have to bear the anxiety, can't LUSH at least spare them the effort by taking this up collectively on behalf of all affected customers with the respective banks?

Reading various other reports, it does seem as if LUSH were rather laid back in watching this happen for a good few weeks/months rather than interceding immediately.

Also they appear to be in breach of PCI-DSS if the Cardnumbers weren't encrypted?

From all reports it would indicate that the e-Commerce entity may have had a particularly laissez-faire attitude towards Information Security - the fact that there were multiple vulnerabilities and that the e-Commerce section of the site had to be completely taken down are quite telling of the situation.

One has to question how the Merchant Acquirer failed to identify potential issues as part of the Merchant Audit required as per PCI:DSS - assuming it was audited by qualified Certified Security Assessors.