Cyber Incident Victim: Lime Crime

In October 2014, unauthorized individuals gained access to Lime Crime's website server and installed malware designed to intercept customer payment card data and personal information. The malicious code remained active on the cosmetics company's e-commerce platform until February 15, 2015, affecting customers who made purchases during this four-month period. The compromised data included names, billing addresses, payment card account numbers, expiration dates, and security verification codes. Customers who created accounts on Lime Crime's website also had their usernames and passwords exposed. PayPal users experienced partial compromise, with website credentials potentially accessed but payment card details remaining secure due to PayPal's external transaction processing. The breach resulted in confirmed fraudulent charges on customer accounts, as acknowledged in Lime Crime's February 24, 2015 security notification.

Lime Crime responded by deleting the malicious code from their systems and migrating their website to a new PCI-compliant hosting platform. Security professionals conducted vulnerability scans on the reconfigured infrastructure, verifying no residual threats remained. The company initiated customer notifications through their website, advising all affected individuals to reset their account passwords immediately. As remediation, Lime Crime offered impacted customers complimentary identity protection services and fraud resolution support for twelve months. The volume of inquiries following the disclosure temporarily overwhelmed customer service channels, causing delayed email response times. Forensic analysis confirmed the malware specifically targeted payment card transactions processed directly through Lime Crime's website between October 4, 2014, and February 15, 2015.