The Akira ransomware gang is claiming responsiblity for the “cybersecurity incident” at British bath bomb merchant.
Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including “a lot of personal documents” such as passport scans.
Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira’s affiliate likely had access to a system containing staff-related data.
Company documents relating to accounting, finances, tax, projects, and clients are also said to be included in the archives grabbed by the cybercriminals, who are threatening to make the data public soon. There is still no evidence to suggest customer data was exposed.
Akira’s retro-vibe website separates victims into different sections: One for companies who didn’t pay the ransom and thus had their data published, and another for those whose data is to be published on an undisclosed date.
A likely conclusion to draw, if the incident does indeed involve ransomware as the criminals claim, is that there may have been negotiations which have stalled, with Akira using the threat of data publication as a means to hurry along the talks.
The Register approached Lush for comment. Its representatives acknowledged the request but did not provide a statement in time for publication.
Lush last communicated about the situation on January 11, saying it was responding to an “incident” and working with outside forensic experts to investigate the issue – often phrasing used in a ransomware attack.
“The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations,” it said. “We take cybersecurity exceptionally seriously and have informed relevant authorities.”
The statement came a day after a post was made to the unofficial Lush Reddit community. Written by a user who seemingly had inside knowledge of the incident, the post claimed members of staff were instructed to send their laptops to head office for “cleaning” – an assertion that El Reg understands to be true.
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft