“Handmade cosmetics group Lush has admitted its website was hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of having their card details stolen. But the company only informed customers last night.

The fact that Lush is warning customers to contact their banks may indicate it has failed to encrypt the details held on its site – which, if true, could mean it has failed to meet regulations known as PCI compliance, which governs the storage of card details by websites in Europe.

Many customers are also speculating why it took Lush so long to inform customers if the website was first hacked in October, especially as its statement indicates it has 24-hour web security.”

From The Guardian