The hacker compromised clients who placed online orders with the firm from October last year until just a few days ago. Customers who may have been exposed have been requested to contact their banks for advice. These clients were contacted by e-mail on 20 January.
A full external Forensic Investigation of the security breach has been started.
The firm has announced that a completely separate, temporary website will be launched in a few days - initially taking PayPal payments only.
Lush Cosmetics also posted a message to the hacker stating “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers”.
