Can a video of singing lemmings make up for having your credit cards stolen?

Graham Cluley
Graham Cluley
@[email protected]

LushThe cosmetics store Lush is making the headlines for all the wrong reasons today, as they announced they were suspending online sales after their website was broken into by hackers.

In a statement on the site, the handmade cosmetics firm explains that customers who purchased goods online between 4 October 2010 and 20 January 2011 may have had their credit card details stolen as a result of the security breach:

We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

Sign up to our free newsletter.
Security news, advice, and tips.

Lush warning on their website

In a tongue-and-cheek message to the hacker, Lush said it admired the hacker’s “formidable” skills but would not be offering him a job.

If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.

In perhaps the most bizarre twist of all, Lush has posted a video of toy lemmings singing a song by Elbow on its front page.

Although the news for customers is very worrying, Lush is clearly trying to present the news in a warm-and-cosy way.

Lush says they are trying to cheer themselves up, but you have to wonder if their customers would be wise to spend five minutes watching the stuffed toys singing their song rather than checking their bank account for unexpected activity.


If I were a customer of Lush’s website I wouldn’t feel like smiling this morning.

It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach. Was it at the same time as they posted the message on the front page of their website, or have they known for longer?

And was the customer credit card information not encrypted? If it had been strongly encrypted then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud.

Judging by comments on Twitter and Facebook from affected customers, some don’t appreciate Lush’s attempts to smooth the waters and might have been happier with a more sober and thoughtful response – such as links to advice about what to look out for.

It’s also unclear whether Lush has emailed affected customers, or if it is relying on users’ visiting their website to hear about the security breach. Certainly anyone who bought a “difficult female relative” some nice-smelling soap for Christmas is unlikely to visit the site in the immediate future.

Update: Thanks to reader Julie who forwarded us an email she received from Lush, notifying her of the security breach:

Lush notification email

All companies need to treat the security of their customers’ personal information and credit card data seriously to reduce the chances of hackers being able to cause harm and corporate embarrassment.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.