By now most online retailers will have heard about the security breach that has just occurred on the Lush websites in Australia and New Zealand. It’s not the first security breach for Lush as their UK website was also recently targeted. Lush is now advising their online customers in Australia and New Zealand to talk to their banks about cancelling their credit cards. Wow!
So what happened exactly? Well according to Lush “We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained hackers”.
According to one report from the ABC, Sydney analyst Peter James’s credit card was scammed of $1,400 about two weeks ago. He says he made a purchase on Lush’s website about two years ago using the same credit card, which he rarely used. TWO YEARS AGO!!! Why on earth is Lush storing customers’ credit card details for two years? Or at all for that matter!
You think Lush would have looked at their security worldwide when reports only last month came out that their UK site was hacked. In that case, customers credit card details were also stolen!
Is Lush to blame in this fiasco? Well in my opinion, definitely. A company of that size should have better knowledge of the risks of a relatively large e-commerce operation. This is no Mom & Pop operation, it’s a multi-national operation. You’d be hard pressed to find a woman in the 25-45 demographic in major cities around the world who doesn’t know and love the Lush brand. When they had their UK breach and discovered that their ‘legacy’ e-commerce system stored credit card details and shut it down, they should have checked all online stores worldwide and followed the same protocol.
As the news of the Lush website takes hold with consumers, they will be even more wary about providing their credit card details online. Unfortunately it will probably have a negative impact on many already nervous online shoppers in this market.
So what can online retailers in Australia take from this hard lesson that Lush has learned? First and foremost, check out your own website security. If it’s in good shape, tell your customers front and centre on your website. And show them with the appropriate links to secure certificates and badges.
Not sure where to start on your website security? Here are my top 5 tips to for a more secure e-commerce website:
1. Work with an experienced team. Make sure you are working with a website development company who’s been around the block a few times, and knows the business of e-commerce. While there are a lot of developers out there who can put together a basic e-commerce website cheaply, do they talk to you about how your website fits your business as a whole?
2. Evolve your online store, don’t just set and forget. If you’ve had an e-commerce site for a while (Lush’s site looked very old and haggard for a company whose tagline included the word ‘fresh’), talk to your website development team to ensure that as the web has evolved, your website is not left behind an open to hackers with old coding methods and technologies.
3. If you’re new to e-commerce (or looking for an upgrade), go with a custom built system rather than one of the many ‘free’ e-commerce software systems available on the net. Those ‘free’ systems are ripe and ready for hackers to have a go at. They can reap maximum benefits by going after thousands of websites built off the same software.
4. Always use a reliable payment gateway that is PCI Compliant. There are a few excellent options in Australia such as eWay and Camtech. If you’re low on start up funds and have a small site with just a few products and a low turnover, you could go with PayPal.
5. Buy a quality SSL certificate registered to your domain name – not a ‘shared’ option. Sure they cost a bit extra, but it’s nothing compared to the security of knowing that your customers’ credit card information is sent securely from their browser to the payment gateway.
With the Australian online shopping landscape growing in leaps and bounds, it’s only a matter of time before more online stores get targeted. Do everything you can to not let yours be one of them. Make sure your website is as secure as possible, and whatever you do, please don’t store your customers credit card details.
Regarding point number 3; free and open source software is the amongst the most proven and secure software in the world (obvious examples include Linux, Apache, PHP, MySQL). The free software to avoid is closed-source software because it isn’t subject to the same level of scrutanization as open source projects. Projects like OSCommerce are a good start for a small e-business.
- MIRVThanks. I agree with your comment about open source software. In fact, we use all of the examples your provided (Linux, Apache, PHP, mySQL). What I was referring to was e-commerce sites that are purely based on free widely used code. These are very often subject to security hacks, trojans and the like due to the code being freely available to hackers and being widely used across the internet, making for a large target. It’s a bit like Mac vs PC. PCs are constantly attacked by hackers hoping to gain user information, Macs are not. So it’s not a open-source vs. closed source argument, but rather a unique vs. many. Open source e-commerce software certainly has its place, but when used sites need to be very closely monitored, upgraded regularly, and backed up frequently. As e-commerce systems captures customers’ personal information, that data is subject to the hacking attempts made in a widespread attack across the internet. As an e-commerce merchant to you need to weigh up the risks.
- Linda