Lush cyber attack claimed by Akira ransomware gang
The group says it has accessed and will release data including passports, tax information, and client data


A cyber attack on the UK-based cosmetics and bath product company Lush has been claimed by the Akira ransomware group.
The incident was first reported on 11 January, with Lush saying it was working with external IT forensic specialists to try to uncover what happened.
"The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations," the company said in a statement. "We take cyber security exceptionally seriously and have informed relevant authorities."
Now, the Akira ransomware gang appears to have claimed responsibility for the attack.
"110 GB of their files are prepared for uploading. There are a lot of personal documents especially passports. Accounting, finance, tax, projects, clients information and much more could be found in the archives we are going to share," it says in a post shared by the RansomLock open source ransomware-tracking website.
Read more
Lush says it’s now operating largely as normal. However, Brian Boyd, head of technical delivery at security firm i-confidential, says there may be more effects to come.
"Lush is a massive cosmetics company that operates globally, so the perpetrators have potentially gained access to a treasure trove of customer data, which they could use to extort the company or to execute targeted phishing scams," he says.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Lush must inform impacted parties as a priority so they can take steps to protect their data. Customers must understand if and how their data has been impacted, because any compromised information could be used against them."
The Akira group was first observed during spring last year and was found targeting Cisco VPNs that were not configured for multi-factor authentication (MFA). According to Sophos, it has mainly targeted organizations located in Europe, North America, and Australia, attacking sectors as diverse as government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications.
RELATED RESOURCE
What are the essentials of a developer security platform?
The group has already been busy this year, carrying out several attacks: Earlier this month, it was confirmed to be the gang behind the hack of Toronto Zoo, with the group saying it was publishing 133GB of data, including NDAs and confidential agreements, as well as personal files such as drivers' licences.
It has also claimed responsibility for the recent hack of Finnish IT services and enterprise cloud hosting provider Tietoevry. The attack affected one of Tietoevry's data centers in Sweden affecting cloud hosting customers including Sweden's largest cinema chain, Filmstaden, retail chain Rusta, and numerous universities and colleges.
In the last few days, the group has claimed attacks on Brazilian Business Park, ANI Networks, Ding Sheet Metal and Valley Telecom Group.
"It was also responsible for breaching almost 465,000 records in 2023 and had an average ransom of $1 million," says Rebecca Moody, head of data research at Comparitech.
In response to Akira's claims, Lush told ITPro: "We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners we are working hard to validate these claims."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Application security risk: How leaders can protect their businesses
Application security risk is higher than ever, as new services and expanding attack surfaces put pressure on cyber leaders
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
Redstor and TitanHQ merge to create ‘MSP-first’ security provider
News The new business Redstor’s and TitanHQ’s solutions to create a unified and integrated MSP security platform
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
5 Steps to Prioritize Based on Risk with Snyk
-
Beyond the Vulnerability Backlog: Building Risk-Based AppSec Programs