Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Sead Fadilpašić

Lush confirms it was hit by a cyberattack - but it isn't saying much else

Red padlock open on electric circuits network dark red background.

Cosmetics retailer Lush has confirmed suffering a cyberattack, but the details are currently scarce.

In a short announcement posted on its website, Lush said it was currently “responding to a cyber security incident and working with external IT forensic specialists” as it thoroughly investigates the matter. 

The announcement, posted on January 11, says the investigation is at an early stage. Lush has, however, “taken immediate steps to secure and screen all systems in order to contain the incident” and limit its impact on the company’s operations.

Cosmetics firms in the crosshairs

Until Lush reveals more details, we can only speculate, but given that the company now seeks to “contain the incident”, there is a chance that it fell victim to a ransomware attack. 

Usually, ransomware operators will try to encrypt all of the data found on the victim network and exfiltrate it, in order to sell it back for cryptocurrency.

During ransomware attacks, businesses will sometimes shut down their systems to prevent total encryption, and will seek to restore compromised endpoints with the help of backups. 

Even though beauty and cosmetics firms are not the most popular target among ransomware operators, they still get hit from time to time. Estee Lauder, for example, has suffered at least two cyberattacks in recent years, one in 2020, and another one in 2023.

In mid-July 2023, Estee Lauder said the hackers managed to steal some data from its systems and disrupt parts of its operations. The company managed to restore its systems, but was also forced to take down parts of its infrastructure to contain the incident. 

“We take cyber security exceptionally seriously and have informed relevant authorities,” Lush concluded in its announcement. The authorities, besides the police and possibly Europol, would also include the Information Commissioner’s Office (ICO).

TechRadar Pro has contacted Lush for comment.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.