| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
- Lush's website was hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of having their card details stolen [3726].
- Lush became aware in late December that their website had been the subject of attacks by hackers, leading to the immediate takedown of the UK website and implementation of extra security measures [3726].
(b) The software failure incident having happened again at multiple_organization:
- The incident at Lush highlights the ongoing threat of cyber attacks targeting websites and customer data [3726].
- Customers expressed concerns about the delay in informing them about the security breach, indicating a common issue across organizations facing similar incidents [3726]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident at Lush's website was primarily due to a design failure related to security vulnerabilities introduced during system development and maintenance. The incident involved repeated hacking by fraudsters over a period of three months, leading to the compromise of thousands of customers' card details [3726].
(b) Additionally, the operation of the website, including the decision-making process and timing of informing customers about the security breach, could also be considered a factor contributing to the software failure incident. Customers expressed disappointment and concern over the delay in notifying them about the hack, questioning why it took Lush so long to inform them despite having 24-hour web security monitoring in place [3726]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident reported in the articles is primarily within_system. The failure was due to the website being hacked repeatedly by fraudsters, leading to the compromise of thousands of customers' card details [3726]. The incident involved a breach of security measures within the system, such as potential lack of encryption of card details and vulnerabilities in the website's security protocols. Additionally, the company took down its website and implemented new security measures internally to address the ongoing attempts to re-enter the system [3726].
(b) The software failure incident also had elements of outside_system factors contributing to the failure. For example, the hackers external to the system targeted the website, leading to the security breach [3726]. The external hackers exploited vulnerabilities in the system from outside to gain unauthorized access and compromise customer data. Additionally, the incident involved interactions with external entities such as banks and credit card acquirers to investigate the hacking attempts and address the security breach [3726]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident at Lush's website was primarily due to non-human actions, specifically hacking by fraudsters. The website was repeatedly hacked over the past three months, leading to the compromise of thousands of customers' card details [3726].
(b) Human actions also played a role in the incident. There were concerns raised about Lush's handling of the security breach, including questions about when the company first discovered the breach and why it took so long to inform customers. Customers expressed disappointment and frustration with the delay in notifying them about the hack, indicating a human element in the response to the incident [3726]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The incident reported in the article is primarily related to a security breach where Lush's website was hacked repeatedly by fraudsters, leading to customers' card details being compromised [3726].
- The breach indicates a failure in the hardware infrastructure or security measures that allowed unauthorized access to customer data stored on the website's servers.
(b) The software failure incident related to software:
- The software failure incident is primarily attributed to software vulnerabilities that allowed hackers to repeatedly breach Lush's website security and compromise customer card details [3726].
- The article mentions that the company had to take down its website and implement extra security measures after becoming aware of the attacks, indicating a software-related issue in the website's security protocols. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in Article 3726 was malicious in nature. The incident involved the hacking of Lush's website by fraudsters, leading to the compromise of thousands of customers' card details. The hackers repeatedly targeted the website over a period of three months, indicating a deliberate and malicious intent to steal sensitive information [3726]. The fact that customers were advised to contact their banks for advice and the company's acknowledgment of being targeted for further attacks suggest a malicious attack aimed at compromising customer data [3726]. Additionally, the response from security experts and consultants highlighted the severity of the breach and the potential consequences for Lush, such as losing the ability to accept credit card payments online [3726]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident at Lush's website was primarily due to poor decisions made by the company. The incident involved the website being hacked repeatedly by fraudsters over a period of three months, leading to the compromise of thousands of customers' card details [3726]. Lush admitted that they became aware of the attacks in late December but only informed customers in January, raising questions about the delay in notifying customers and taking necessary actions to secure the website [3726]. Additionally, there were concerns raised about the company's failure to encrypt the card details stored on the site, potentially indicating a lack of compliance with PCI standards governing the storage of card details by websites in Europe [3726]. The delayed response, lack of encryption, and failure to promptly address the security breach point towards poor decisions made by Lush in handling the software failure incident. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident at Lush's website was primarily due to development incompetence. The incident involved the website being repeatedly hacked by fraudsters over a period of three months, leading to the compromise of thousands of customers' card details [3726]. The fact that Lush had to take down its website, warn customers to contact their banks, and potentially face consequences for failing to meet PCI compliance regulations indicates a failure in ensuring the security and integrity of the website's development and maintenance processes.
(b) Additionally, the incident could also be attributed to accidental factors, such as the delay in informing customers about the security breach. Customers expressed disappointment and concern over the delayed notification, questioning why it took Lush so long to disclose the hack if they had known about it since Christmas [3726]. This delay in communication could be seen as an accidental failure in the incident response process, impacting customer trust and security. |
| Duration |
temporary |
(a) The software failure incident in this case can be considered as temporary. The incident involved the hacking of Lush's website by fraudsters over a period of three months, starting from October 4, 2010, to January 20, 2011 [3726]. The company took down its website and informed customers about the security breach, indicating that the failure was due to specific circumstances introduced by the hacking attempts. Additionally, Lush mentioned that they immediately took down their UK website and implemented extra security measures as soon as they became aware of the attacks, showing a proactive response to the incident. |
| Behaviour |
crash, omission, timing, value, other |
(a) crash: The software failure incident in the article can be categorized as a crash as the Lush website was hacked repeatedly by fraudsters, leading to the system losing its state and not performing its intended functions of securely processing customer orders. This resulted in the company taking down its website and informing customers to contact their banks as their card details may have been compromised [3726].
(b) omission: The incident can also be related to omission as the system failed to perform its intended function of securely storing and protecting customer card details, leading to thousands of customers being at risk of having their card details stolen. Lush admitted that the website was hacked repeatedly over the past three months, indicating a failure in omitting to protect customer data effectively [3726].
(c) timing: The timing of the incident can be considered a factor in the failure as the company only informed customers about the security breach after several months of being targeted by hackers. The delay in notifying customers, despite having 24-hour security monitoring, raises questions about the timing of the response to the security breach [3726].
(d) value: The incident can also be linked to a failure in value as the system failed to perform its intended function of securely storing and processing customer card details. This failure led to the compromise of customer financial information, indicating a failure in providing the expected value of secure online transactions to customers [3726].
(e) byzantine: The byzantine behavior is not explicitly mentioned in the articles.
(f) other: The incident can be categorized under the "other" behavior as well, considering the response of the company to the security breach. Lush attempted to address the situation in a unique manner by replacing the website with a statement, offering a job to the hackers, and posting a video of dancing lemmings alongside the security message. This unconventional response could be seen as a different behavior in handling a software failure incident [3726]. |