The Smell of Bullshit, part 37: when was the Lush retail site REALLY hacked?

As mentioned in this post, the Lush website was hacked in 2010 and for several months customers were at risk of having their bank card details stolen by the hackers. This story was reported by the BBC, the Guardian, The Register, the BBC (again) and numerous other news sites. In all of those articles, Lush stated that the security breach took place between October 2010 and January 2011, and that’s what they have said ever since.

Perhaps it’s true.

But look at what’s on the forum. Two threads, from July 2010. The first thread was started 12/07/10 and I have taken screenshots of the first couple of posts.



The second thread was started on 13/07/10 and is about the same thing: on the Lush retail site, clicking on the Gumback Express product brought up a picture of a bed.


Now, I am not a hacker, but I was a Lush customer for many years and I am pretty sure that there shouldn’t have been random photos from Eden Beds on the Lush website. The Eden Beds website no longer exists, by the way. I am pretty sure that the appearance of the bed photos on the Lush website in July 2010 was down to hackers.

I think that the hackers inserted those photos into the Lush site to see if they could and to see how long it would take Lush to notice (and as it turns out, the customers noticed before Lush did) and fix the site security. And if I’m right, that means the Lush website was hacked three months before October 2010 and either Lush lied when they said they were hacked in October, or they didn’t know and possibly still don’t know that they were hacked three months before that.

I wonder how the Information Commissioner would feel about that.


4 thoughts on “The Smell of Bullshit, part 37: when was the Lush retail site REALLY hacked?

  1. Wonder if any former members of the Lush IT or digital / web teams will be brave enough to comment on this article…….

  2. I don’t think it matters when they were hacked the fact that still remains is that they were hacked in October. They knew they were hacked in October and left everything running because they were too obtuse to think there was a problem. They buried their heads in the sand and carried on and because of their stupidity hundreds of loyal customers suffered as a result.

    Once again they have shown that they don’t care about people or decency or ethics.

    They could have taken everything down in October and sorted the hacking there and then but as usual, big headed narcissists that they are, they thought they could sort it while still keeping the money rolling in.

    Then when it happened again in December they thought they had better get customers back on side so they went on the record with Hilary giving the old sob story and the guy in charge publishing his diary (like you’d get time to do that) which basically said “oooh I worked all of Christmas Day sorting out something I could have done 3 months ago, aren’t I a hero!”

    He was made the scapegoat for the whole debacle and is no longer with the company after getting ‘the chat’ you know, ‘we think (you’ve outlived your usefulness) you would be better off elsewhere’.

    And lush’s apology? Dancing cartoon bears. Nice to know they take things like this seriously.

  3. Lush employees would be too scared to comment on this post because it would be instantly traceable to a handful of people. All I will say is that a certain ‘ethical’ person was particularly good at spinning this particular chapter. Well done for posting this though.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s