Experts and Lush customers have been voicing their concerns over the handmade cosmetics group response to the hacking of the website for Lush UK, which left thousands of customers open to card fraud.
One of our readers asked why did Lush store credit card details on remotely accessible servers in the first place (otherwise the hackers wouldn't have had access to them).
As mentioned yesterday, Lush announced that they have implemented a new PCI-DSS compliant system but only for transactions occurring in their stores, not online.
However, the fact that they did not encrypt the customer details held on their website means that they could be barred from accepting credit card payment online, hence their swift move to set up a website that only accepts Paypal payment, a payment process that doesn't require PCI compliance.
The retailer has yet to reply to a request from the Guardian, asking whether it had followed the guidelines set by PCI standards.
The publication of a video with dancing and singing stuff toys (see below) and the "complimentary nature" of the comment left for the site's hacker(s), has already attracted some very negative comments although some have backed Lush for owning up to the fact they were hacked.
Graham Cluley of Sophos comments that Lush could have provided a more sober and thoughtful response rather than a "cheering up" video; what about links to the Getsafeonline website or as it was the case for Skype and Groupon, a straight-face apology from the CEO himself?