TLDR: British Cosmetics Firm Lush Confirms Cyberattack

Lush, the British cosmetics retailer with stores in North America, has confirmed that it is currently responding to a cyber security incident. The company, which operates globally, is working with IT forensic specialists to investigate the incident. The National Cyber Security Center (NCSC) has certified a number of firms for victim organizations to contact in the event of a hack. Lush has taken immediate steps to secure and screen all systems to contain the incident and minimize the impact on its operations. The company has informed relevant authorities and takes cyber security seriously.

In 2023, there was a record number of ransomware incidents in the UK, with 667 organizations compromised in the first half of the year. Lush has not disclosed the nature of the attack, but ransomware is suspected as it was a prevalent threat during this period. The company’s production facilities in Europe, Japan, and Australia have not been confirmed as affected.

Under UK law, businesses that suffer a data breach have a duty to inform the Information Commissioner’s Office (ICO), and failure to do so can result in fines of up to 4% of global turnover. Lush has confirmed that it has informed the relevant authorities, indicating compliance with this requirement. However, there are concerns that some ransomware victims are keeping incidents hidden from law enforcement and regulators.

In response to the incident, Lush is working with external IT forensic specialists to undertake a comprehensive investigation. The identity of these specialists has not been disclosed. The company is taking the necessary steps to secure and screen all systems to contain the incident and minimize the impact on its operations. This incident reflects the increasing prevalence of cyberattacks targeting businesses around the world.