As mentioned in this post, the Lush website was hacked in 2010 and for several months customers were at risk of having their bank card details stolen by the hackers. This story was reported by the BBC, the Guardian, The Register, the BBC (again) and numerous other news sites. In all of those articles, Lush stated that the security breach took place between October 2010 and January 2011, and that’s what they have said ever since.
Perhaps it’s true.
But look at what’s on the forum. Two threads, from July 2010. The first thread was started 12/07/10 and I have taken screenshots of the first couple of posts.
The second thread was started on 13/07/10 and is about the same thing: on the Lush retail site, clicking on the Gumback Express product brought up a picture of a bed.
Now, I am not a hacker, but I was a Lush customer for many years and I am pretty sure that there shouldn’t have been random photos from Eden Beds on the Lush website. The Eden Beds website no longer exists, by the way. I am pretty sure that the appearance of the bed photos on the Lush website in July 2010 was down to hackers.
I think that the hackers inserted those photos into the Lush site to see if they could and to see how long it would take Lush to notice (and as it turns out, the customers noticed before Lush did) and fix the site security. And if I’m right, that means the Lush website was hacked three months before October 2010 and either Lush lied when they said they were hacked in October, or they didn’t know and possibly still don’t know that they were hacked three months before that.
I wonder how the Information Commissioner would feel about that.