Lush has opened a “thorough” investigation after a cyberattack impacted its systems. The British body care company is currently addressing the incident with the assistance of outside IT forensic experts.
The company has notified the appropriate authorities and takes cyber security “exceptionally seriously,” according to the statement.
The UK’s Information Commissioner’s Office (ICO) is one example of this; by law, businesses must notify the ICO of any breaches involving personal data within 72 hours of becoming aware of them.
The public’s access to information rights and data privacy is promoted by the ICO.
In 2023, 32% of UK businesses experienced cyberattacks, with the percentage rising to 69% for large businesses, according to IT support services provider AAG.
As of right now, the attack’s nature and scope are unknown
“The investigation is at an early stage but we have taken immediate steps to secure and screen all systems to contain the incident and limit the impact on our operations,” Lush said in a statement.
Such incidents have also targeted beauty companies; last year, a cyber breach affected the Estée Lauder Companies (ELC).
Data from the internal systems of the beauty company was obtained by a hacker.
To prevent more data from being stolen, the owner of MAC and Tom Ford was forced to shut down a portion of their network after the hack.
On June 7, 2023, the Russian cybercriminal group Clop launched a cyberattack against Boots as well.
The health and beauty retailer in the UK was one of thousands of businesses whose employee data—which included names, addresses, bank account information, and national insurance numbers—was compromised.
Lush Retail Ltd., a British cosmetics retailer is surrounded by uncertainty after confirming a cybersecurity incident is brewing within the company. Although there are still few details available, the news has left both industry insiders and consumers curious about how far down this aromatic rabbit hole it goes.
The news was announced by the company in a succinct statement, which said they are “currently responding to a cybersecurity incident” but did not elaborate on the type of attack or its possible targets. With worries ranging from operational disruptions to customer data breaches, this enigmatic stance has only served to fuel speculation.
“Lush UK&I is currently responding to a cyber security incident and working with external IT forensic specialists to undertake a comprehensive investigation. The investigation is at an early stage but we have taken immediate steps to secure and screen all systems to contain the incident and limit the impact on our operations. We take cyber security exceptionally seriously and have informed relevant authorities.”
Analysts advise consumers to avoid becoming complacent and to stay alert for shady emails or messages purporting to be from Lush.
As the investigation progresses, Lush clients can take the following proactive actions:
- Change up your passwords: As a precaution, change the login information for any online accounts linked to Lush.
- Take caution when phishing: Be cautious when responding to emails and other correspondence purporting to be from Lush. If you are not sure about the legitimacy of an attachment or link, don’t open it.
- Observe credit reports. Watch for any unusual activity that might indicate unauthorized access to your financial data.
Should Lush decide to disclose additional information about the cyber attack. There is still one certain thing, though: over the past few months, there has been an extraordinary increase in cyberattacks in the UK.
It was revealed earlier this month that hackers used LinkedIn to carry out a planned cyberattack on Nuclear Waste Services in the UK. Samsung revealed a data breach in November 2023, a few months prior, in which hackers stole customer data from Samsung locations in the UK.