The Real Business Impact of Being Hacked

Thursday, February 03, 2011

Rafal Los


Lush Cosmetics has a problem, that's more than just image.  

The attack and compromise of their e-commerce site in the UK caused the company to not only launch an investigation but to completely shut down their site and rebuild from the ground up.

The implications of being hacked are generally thought of as simply an image problem - will customers come back after getting "the letter" or will they simply stay away?  

Research and revenue has shown that customers can be more forgiving than some of us would like, but there is a definite dip in revenue even if temporary.  What makes this case unique is that Lush Cosmetics has actually completely shut down its e-commerce website.

Lush left this message for its customers:

"A completely separate, temporary website will be launched in a few days - initially taking PayPal payments only."

That's not good, losing even a few days of global online revenue, plus the reputation of being offline a 'few days' is pretty bad, and you don't need an MBA to acknowledge that.  

Only this is where the matter gets worse.  News is that the site will be down for several months while it is completely rebuilt from scratch... now there is an ouch.

"The firm's ethics director, Hilary Jones, said: "The temporary site will be ready soon, but the rebuilt site - that's a few months off."

She said the new website was being built internally. She said the company didn't know what the effects would be on sales, saying looking after customers was the priority."

I don't have any experience in sales forecasting, but I can tell you exactly what the effect will be on sales - negative.  

The percentage?  Only time will tell... as a customer - would you go back to a site that was not only allegedly irresponsible with your credit card data, but then was also offline for quite some time?  Again, only time will tell.

Businesses looking to take the risk of compromise head-on, opting for the "we won't get hacked" mantra should carefully reconsider.  Even if your customers don't hold you accountable - how long will you be down as a result, and how much will that cost you in sales?  

Now... compare that against the cost of doing the right thing and applying proper security to the sites you build - I bet the ROI is there.

Think carefully - these types of cases of real-life exploit followed by catastrophic business losses are starting to pile up.  Will your company be next?  

Remember, the hungry predator doesn't care that the Ostrich has its head in the sand, it can still see you - and eat you.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security ROI ecommerce breach Lush Cosmetics Business Impact
Post Rating I Like this!
Ben Keeley Very interesting case the LUSH hacking. Outside of the company we'll never know, but can't help but wonder about PCI DSS compliance issues?
Rod MacPherson Rafal, I actually think that taking the site offline for a few days, coming back with a temporary paypal only site and rebuilding from scratch, all the while making sure the customers are kept well informed of why will probably work out well for Lush. I think that is a carefully planned method of damage control. Word is already out that they've been hacked. Going through this process shows their customers that they are taking it seriously and that they care about making the site safe.
Let's face it, no one is in such desperate need of cosmetics that a day or two of not being able to buy online matters. Lush's whole reputation is that they care. artificial scents for those allergic to the usual stuff, all made by hand, etc. This, I'm sure, is a carefully planned demonstration that they are different from "the big corporations" and don't try to just sweep this under the carpet.
Londyn van Zyl I completely agree with Rod. I personally use Lush cosmetics becuase of how much they care about their customers. To me shutting down their site just shows that they are willing to go the distance to keep my information safe. As opposed to just creating a quick fix that still leaves other vulerability paths open.
Lee Mangold Now let's just back up a second... There's missing data here, obviously (from Lush, not Rafal). If you are completely rebuilding a site, that means you don't know either 1) How the breech occurred or 2) How to patch the need better software engineers...

A second note here...Install an open source E-Commerce package on a Linux box, setup up mod_security, use SELinux (or sandbox methods), use appropriate permissions, Snort IPS, etc.. and have your site back online in a week... OR sign up for a reputable hosted service, don't build your own stuff, and get back to your CORE BUSINESS.

Maybe this is a rant, but there's no reason to "rebuild" your OWN ecommerce or CMS package, set up a temp-shop and lose money. Is Lush an IT company???

Something doesn't make sense here...
Rafal Los @Lee - you're right, something doesn't add up here.

Everyone else - I realize that there is an issue that you're clinging to here, and that is the fact that LUSH is 'taking care of the customer'...but - you have to realize what Lee is saying is dead on. Why would they totally rebuild the site from scratch if there wasn't something systemically wrong with it that they couldn't (a) identify or (b) fix?

What's worse is this - they're not making ANY money from their online site right now, while they're down. Now, this may not be a significant enough dent in their bottom line if they've got store-fronts and are embedded in large malls ...but I suspect that is not the case. So what's happening is a true and very real loss of revenue that no PR will bring back.
Ben Keeley Agreed - my view is they have no idea how to stop it on current code/solution base (begs the question are they aware of all entry points)

Its being 'spun' as a caring move towards the customer base.... This is interesting:
Rod MacPherson Rafal,
LUSH is a multi-national company with storefronts in malls. There are at least 2 of them that I've visited in Toronto. That's the part of the picture you are missing I think. I seriously doubt that much of their sales come from the website.
Also I imagine that the "rebuilding" that's going on IS choosing a commercial CMS and redesigning the look of the site so that users feel like it is a major overhaul. Non-IT people wouldn't know that a change that fixes a hole may not have any visible change to the site, so I'm sure that most of the changes they will have made will be cosmetic to set in people's minds that there has been major work done to the site to make it safer.

I still stand by my original assessment that this is likely more a marketing speedbump deliberately put in place to make it FEEL like they are taking it seriously and doing something. Like Johnson and Johnson adding a drop of alcohol to their antiseptic so it will sting a little because people didn't believe that something that didn't hurt would work.
Rod MacPherson "...most of the changes they will have made will be cosmetic..." No pun intended.

BTW, If you ever see a LUSH shop check it out. They have some really cool soaps, but it feels a little like you've gone back in time a century or two when you watch them cut a "bar" off the big slab with a knife.
Lee Mangold Color me confused (shocking, I know)...

Based on the recommendation from @Rod I decided to check if there was a Lush storefront nearby. Surprisingly, is online (with stores in the US and Canada) while is "offline". The registration information is completely different for both: one is private (.com), one is not ( and presumably maintained by

Is this company one-and-the-same? If so, now I'm really confused

**** EDIT ****
In comparing the .com site to the pdf order form, they sell the SAME products with the SAME (unique) names. Oh, and did I mention the product IDs match?

So here's a new series of questions: 1) Why is the site not using the .com infrastructure (at least temporarily) and 2) Is the US site running off the SAME vulnerable infrastructure?
Lee Mangold Followup: I found a cached page from the site on Google with comments as recent as June 2010, in the code. I found this:

The .com site is using something else (not Joomla)...
Lee Mangold Okay...the end of my quest is here. If you go to you'll see they link to there international locations ( and are both there). If you click around, you'll see many different engines/infrastructures used in the same company. In fact, the Hong Kong site was reported as a phishing site... Are there vulnerable Lush sites still out there...?
Londyn van Zyl I am going to admit that I would definitely be considered non-IT and a lot of the comments here have made me question my original opinion. However, that doesn't change that their business won't be too affected. Their overall mission is to provide beauty products that are completely natural and wonderful for your skin. The first time I ever heard of them was in a galleria in my hometown about 6 years ago. They literally let you sample every bar, exfoliant, scrub, even a mask if you wanted. Then after you have tried everything you could possibly imagine they give you a sample of anything you want to try for a week and see if it works well for you. They even say come back in a week and get another sample if you still arnt sure. I've been several times since and it still hasn't changed. Their value is not only in the non toxic products they make but also from the wonderful experience they provide to their customers. Overall any impact the site being down would cause would be marginal.

Dont misunderstand it is still crucial to be capable of protecting my personal data but I still can't say I would stop going. I'll just have to hit up the ATM first!
Lee Mangold What if gross negligence is discovered and they lose their ass in court fees and judgments? If they're operating all these different sites in an adhoc and unplanned manner while accepting credit cards and not following BBPs, that's negligence in my book...

I'm fairly certain that would affect EVERY aspect of their business...
Ben Keeley Was thinking about this over night. Best recent example of honesty after a hacking attempt I've seen is this one from Apache last year. - even then though they didn't rebuild the whole site.

So is the hacking attempt A) an excuse for new design B) someone with skills has looked at site/solution and advised fundamental changes or C) The means of access are still not fully understood, hence start with a clean slate...

Have to say I disagree that its just 'a marketing speedbump deliberately put in place to make it FEEL like they are taking it seriously', why set yourself up for the questions and loss of revenue? If it was an easy fix, take site offline for a week, fix it, get it pentested in production like environment, then presuming all is well, bring it back into production.

More going on here I personally think.
Lee Mangold Well, I guess that's +1 for me...Geeze... I suppose Lush is off to "rebuild" another site now...
Ben Keeley Yup! They've got to feel some regulatory pain for this now.
Lee Mangold One would hope, but I'm not sure what the laws are like in the countries involved.

And we know Visa/MC won't really care...which is a different story...
Rafal Los @Lee -Nice digging. I did some of the same but couldn't really post much of it due to the fact that the parent company wouldn't be thrilled with the investigative nature of the work :)

This brings to light some of the broader dangers of deploying publicly accessible web sites, and just how seriously people DO NOT take security until it's adversely impacted their bottom lines.

Software Security Assurance is more important than a patching strategy, in my opinion, in modern networks ...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.