Lush, the privately-owned British cosmetics retailer with stores in North America, is “currently responding to a cyber security incident.” a spokesperson has confirmed.
The company, which operates in 49 countries, also owns production facilities in Europe, Japan and Australia. It is not clear if these have been affected.
Although the nature of the incident has not been announced, it follows what was almost certainly a record year for ransomware incidents for organizations in the United Kingdom.
During just the first half of 2023, ransomware criminals had already compromised 667 organizations in the country — equivalent to just over 94% of the 706 affected in the entirety of the year prior.
According to a statement sent to Recorded Future News, Lush said it was “working with external IT forensic specialists to undertake a comprehensive investigation.”
The identity of the specialists was not recorded. The country’s National Cyber Security Center (NCSC) has certified a number of firms under its Cyber Incident Response scheme for victim organizations to contact following a hack.
“The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations,” Lush’s statement added.
Businesses that suffer a data breach have a duty to inform the Information Commissioner’s Office (ICO), Britain’s data protection regulator, which can fine organizations that fail to report a breach up to 4% of their global turnover.
“We take cyber security exceptionally seriously and have informed relevant authorities,” Lush said.
Despite the reporting requirement, last year the NCSC and ICO published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and from regulators.
Get more insights with the
Recorded Future
Intelligence Cloud.
No previous article
No new articles