Lush, a leading British cosmetics retailer, is actively addressing a cybersecurity incident, showcasing a proactive approach to safeguarding its operations.
Lush, a privately-owned British cosmetics retailer with North American stores, has confirmed it is actively responding to a cybersecurity incident, according to a spokesperson. The company, with a presence in 49 countries and production facilities in Europe, Japan, and Australia, has not specified if these facilities are affected.
The incident’s undisclosed nature follows a likely record year for ransomware incidents in the UK, with criminals compromising 667 organizations in the first half of 2023, surpassing the 706 affected in the entire previous year.
Lush, collaborating with external IT forensic specialists for a comprehensive investigation, has not disclosed their identity. The National Cyber Security Center (NCSC) certified several firms under its Cyber Incident Response scheme for organizations affected by hacking incidents.
In a statement to Recorded Future News, Lush emphasized taking immediate measures to secure and scrutinize all systems, containing the incident and minimizing the impact on operations. In the event of a data breach, businesses must inform the Information Commissioner’s Office (ICO), the UK’s data protection regulator, which can impose fines of up to 4% of global turnover on organizations failing to report breaches. Lush underscored, “We take cybersecurity extremely seriously and have notified relevant authorities.”
Despite the reporting requirement, the NCSC and ICO expressed concern in a joint blog post last year, noting an increasing tendency among ransomware victims to conceal incidents from law enforcement and regulators.
Story credit
Related stories:
