Thousands of Lush customers whose credit card details were left vulnerable to hackers have limited legal options, an expert says.

Shoppers who have used the cosmetic company's online stores in Australia and New Zealand are being urged to cancel their credit cards after its online customer database was stolen by cyber thieves.

It follows a similar attack on Lush's UK parent company last month.

Lush Australasia director Mark Lincoln says their customers were not informed their credit card details were being stored on the database.

The Privacy Act, however, requires an organisation that collects personal data to advise customers why they are collecting the data, protect it, state how long they intend to keep it and what they will do with the data.

But RMIT professor of computer law Margaret Jackson says it is not illegal if a company fails to follow these "guidelines".

"It's not illegal - the Privacy Act doesn't really say it's illegal," she said.

"It says if you're going to collect personal data as an organisation, then you have certain obligations that you must meet and that is to keep the information secure and not keep it too long.

"It does sound as though they (Lush) have kept data too long and when it's not needed. That's something they're going to have to address very quickly.

"But it's not illegal as such, but it can be a breach of the Privacy Act."

Professor Jackson says if the Privacy Act is breached, there is "not all that much" in the way of penalties.

"Australia doesn't have some of the laws that other countries have about unauthorised data breaches like this, but... the Privacy Commissioner is able to work with them to make sure they're addressing their security concerns," she said.

"Other countries have stronger laws about this.

"The US is a good example. They have legislation in most of the states that requires compulsory reporting of breaches. In Australia it's only guidelines that the Privacy Commissioner's office has put out."

She says a customer can take action on their own if they feel they have suffered financial loss.

"In most of the cases that do have this sort of data impact, that's what's going to happen," she said.

And Professor Jackson says the company's image is also likely to suffer.

"They are getting bad publicity and customers may think, 'well, I may not deal with them again'," she said.

But she says breaches like this show the Federal Government needs to take more action to protect consumers. She says the Government is bringing in reform but it should not lag in putting it in place.

"We look as though we're going to have something, but it's not here just yet. They are bringing it in, it is just a question of speeding it up a bit," she said.

"This is such an important issue. It does create concern and fear with some people that if they're providing information online that it's not safe."

Lush says it has informed the Privacy Commissioner about the privacy breach.

Scammed

Sydney analyst Peter James's credit card was scammed of $1,400 about two weeks ago. He is not sure if it is linked to Lush, but the company sent him an email this morning informing him of the privacy breach.

He says he made a purchase on Lush's website about two years ago using the same credit card, which he rarely used.

The bank has already cancelled his card and he has not been able to get through to them today to find out if he is a victim of the Lush breach.

But he is angry that his credit card details were kept in their database.

"It's absolutely atrocious, to be honest," he said.

"It's so wrong to keep that information because there's no need to. They've definitely broken trust of the consumer.

"It's pretty shocking that they've kept this information for that long, let alone kept it at all."

He is also very concerned about his identity being stolen.

"Lush had my email address on file as well, so if nothing else my email is potentially out there on a list so I immediately changed my password," he said.

"I've got to go back to my original order and find out what data they've had.

"But if they've deleted the data now and if they've removed access to their website, there's no way I can log back on and find out what information is potentially compromised."

Lush says an out-of-date computer system was responsible for the website breach.

"It sounds like they (Lush) didn't have much of an idea on what's required to run an e-commerce store," Mr James said.

"I think people just want to sell their products online without fully understanding the ramifications of it."

He says he is also shocked that such a breach is not illegal.

"That's the first thing I thought of - someone should really be held accountable for this," he said.

"There needs to be something to stop potentially dodgy operators and regulation of retailers."