Lush cyber attack claimed by Akira ransomware gang
The group says it has accessed and will release data including passports, tax information, and client data


A cyber attack on the UK-based cosmetics and bath product company Lush has been claimed by the Akira ransomware group.
The incident was first reported on 11 January, with Lush saying it was working with external IT forensic specialists to try to uncover what happened.
"The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations," the company said in a statement. "We take cyber security exceptionally seriously and have informed relevant authorities."
Now, the Akira ransomware gang appears to have claimed responsibility for the attack.
"110 GB of their files are prepared for uploading. There are a lot of personal documents especially passports. Accounting, finance, tax, projects, clients information and much more could be found in the archives we are going to share," it says in a post shared by the RansomLock open source ransomware-tracking website.
Read more
Lush says it’s now operating largely as normal. However, Brian Boyd, head of technical delivery at security firm i-confidential, says there may be more effects to come.
"Lush is a massive cosmetics company that operates globally, so the perpetrators have potentially gained access to a treasure trove of customer data, which they could use to extort the company or to execute targeted phishing scams," he says.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Lush must inform impacted parties as a priority so they can take steps to protect their data. Customers must understand if and how their data has been impacted, because any compromised information could be used against them."
The Akira group was first observed during spring last year and was found targeting Cisco VPNs that were not configured for multi-factor authentication (MFA). According to Sophos, it has mainly targeted organizations located in Europe, North America, and Australia, attacking sectors as diverse as government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications.
RELATED RESOURCE
What are the essentials of a developer security platform?
The group has already been busy this year, carrying out several attacks: Earlier this month, it was confirmed to be the gang behind the hack of Toronto Zoo, with the group saying it was publishing 133GB of data, including NDAs and confidential agreements, as well as personal files such as drivers' licences.
It has also claimed responsibility for the recent hack of Finnish IT services and enterprise cloud hosting provider Tietoevry. The attack affected one of Tietoevry's data centers in Sweden affecting cloud hosting customers including Sweden's largest cinema chain, Filmstaden, retail chain Rusta, and numerous universities and colleges.
In the last few days, the group has claimed attacks on Brazilian Business Park, ANI Networks, Ding Sheet Metal and Valley Telecom Group.
"It was also responsible for breaching almost 465,000 records in 2023 and had an average ransom of $1 million," says Rebecca Moody, head of data research at Comparitech.
In response to Akira's claims, Lush told ITPro: "We know the group responsible for this incident have made claims regarding data they have taken relating to Lush. Alongside our specialist partners we are working hard to validate these claims."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Ingram Micro cyber attack: IT distributor says system restoration underway
News Ingram Micro is gradually getting back on its feet after a recent cyber attack severely disrupted systems.
-
The UK government is working with Meta to create an AI engineering dream team to drive public sector adoption
News The Open-Source AI Fellowship will allow engineers to apply for a 12-month “tour of duty” with the government to develop AI tools for the public sector.
-
Ingram Micro cyber attack: IT distributor says system restoration underway – but some customers might have to wait for a return to normality
News Ingram Micro is gradually getting back on its feet after a recent cyber attack severely disrupted systems.
-
M&S chair calls for mandatory reporting of cyber attacks after "traumatic" ransomware incident – but will it do more harm than good?
News M&S chair Archie Norman has called for mandatory reporting amid claims two large UK companies were hacked without any public knowledge.
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-op
News The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Ransomware attacks carry huge financial impacts – but CISO worries still aren’t stopping firms from paying out
News Increased anxiety over ransomware links directly to its devastating impact on business processes and one’s bottom line
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problem
News More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
Developers face a torrent of malware threats as malicious open source packages surge 188%
News Researchers have identified more than 16,000 malicious open source packages across popular ecosystems
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics