Lush claimed by Akira ransomware


A prominent ransomware gang, Akira, has just dropped a big bomb on cosmetics giant Lush, popular for its bath bombs, among other products.

Lush is a British cosmetics retailer, up and running for nearly 30 years and operating almost 1,000 stores worldwide.

The Poole-based skincare company addressed the gang’s ransomware charges in a statement sent to Cybernews on Friday.

“We recently experienced a ransomware incident involving temporary, unauthorised access to part of our UK IT system,” a Lush spokesperson said.

“We took immediate steps to respond to the matter and, following a short period of limited disruption, we are now operating largely as normal,” they said.

Although the company immediately launched an “ongoing” and “comprehensive investigation" involving outside security experts, the Lush spokesperson said that “Customer credit card data, ECommerce, and Retail payment gateways were not affected by this incident.”

The company first admitted it was dealing with a “cybersecurity incident” on January 11th.

Two weeks later, on January 25th, Lush’s name popped up on Akira ransomware gang’s data leak site. As yet, the gang hasn’t shared or posted any data allegedly belonging to Lush, but the company is listed among its upcoming data releases.

Lush Akira Ransomware

“We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners, we are working hard to validate these claims,” the Lush spokesperson said Friday.

“We have informed the relevant authorities about this incident, including the ICO and police,” they said.

In 2023, a total of 66 active ransomware groups were identified and operating within the digital landscape, the Cybernews Ransomlooker tool reveals. Akira was among the most active ransomware gangs out there, with a total of 169 victims.

Chester Wisniewski, Director, Global Field CTO, at cybersecurity company Sophos, said it was unclear if this was a ransomware attack or simple extortion without an encryption component.

“Akira is developing into a force to be reckoned with. We first observed them in early 2023 and have seen an increasing number of victims approach our incident response service. They seem to favour attacking vulnerable Cisco VPN products and remote access tools without MFA deployed,” Wisniewski said.

While the cause of Lush's alleged breach remains unclear, it is “a great reminder on the importance of expedient patching of all external facing network components and the requirement for multi factor authentication for all remote access technologies.”


More from Cybernews:

Microsoft lays off 1,900 Activision Blizzard, Xbox staff

UK authorities intercept Snapchat after Taliban claim – media

YouTube scam features fake Jennifer Aniston

Chickpeas sprouted on Moon soil, thanks to fungi

750M Indian phone numbers up for sale on dark web

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked