Ethical beauty retailer Lush is to open a temporary website next week, having closed its UK site after it was targeted by hackers.


Last week Lush warned customers hackers might have stolen credit card details. It is redesigning one of its international sites to display UK prices and products. The temporary site is expected to be basic and will accept PayPal payments only.

Lush ethical director Hilary Jones said that before the attack Lush was already developing a new site, which it expects to launch in April or May. It will be assessed by an expert recommended by the Payment Card Industry (PCI) Security Standards Forum.

Lush’s permanent site was closed last week. The company sent an email to customers warning that anyone who placed an order online between October 4, 2010 and January 20, 2011 should contact their bank “as their card details may have been compromised”.

Jones said that, while retailers are advised not to make such attacks public, Lush wanted to ensure transparency. She said: “As an ethical company we could not keep this information to ourselves.”

Lush, whose founders Mark and Mo Constantine were recognised in the Queen’s New Year Honours List, said it did not know how many customers might have been affected. Jones said police believe the hackers were working outside the UK.

An investigation by the PCI Security Standards Forum has begun and Lush could face a fine of up to £500,000 from the Information Commissioner’s Office for failing to protect customer data.

Graham Cluley, senior technology consultant at antivirus firm Sophos, said retailers need to put in place PCI standards and data protection to protect customers. He said: “If appropriate measures are in place, even if hackers do manage to break in the information stolen will be useless gobbledygook.”