Lush Hack Leads ICO To Warn Other Online Retailers

Hacking victim Lush Cosmetics has taken its ticking-off from the Information Commissioners Office (ICO) to heart and appears to be making a determined effort not to get caught out again.

Lush fell foul of the ICO when its site was persistently hacked from October 2010 to January 2011. The attack resulted in an estimated 5,000 instances of customer’s personal and payment card details being exposed.

The breach was uncovered after 95 customers complained they had been victims of card fraud. Despite Lush having security in place, the company failed to perform regular security checks, such as the recording of suspicious activity on the website. This also delayed the identification of the cause of the breach.

Urgent Website Redesign Underway

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” commented Sally Anne Poole, acting head of enforcement for the ICO.

The ICO is now warning online retailers that they risk enforcement actions and fines if they do not adopt suitable security standards, such as those laid down by the Payment Card Industry (PCI) Data Security Standard (DSS).

Lush managing director Mark Constantine was not fined for the breach but has signed an undertaking that the company will take steps to ensure better security to PCI-DSS levels. This is running the company to the expense of completely redesigning its website and taking on the services of Worldpay to handle payments and card details storage.

Under the name of Tech Ed, the company has posted an explanation of its new security measures. In the online statement, the company says: “We’ve teamed up with Worldpay for our payment solution, because we don’t ever want Lush to be vulnerable to hackers stealing customers’ money and details again”.

The ethical cosmetics company’s site now has VeriSign Trusted status and is gradually restoring its temporary website to full working order again.

The ICO noted the actions taken and that played a part in the lenient decision. The government department stresses that the advice to ensure PCI-DSS compliance should have been followed.

“Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said. “This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

The ICO has published a page of guidance for retail businesses that store customers’ personal information.

Although Lush avoided financial penalties, the next breach victims may not be so lucky. The ICO appears to be setting up a minimum requirement which will be used to assess the measures taken when dealing with future cases.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • Steve Watts, co-founder of SecurEnvoy comments:

    “It's said that 95 customers of the site had complained. But it's a fair bet that a lot more who didn't complain also had their card details fraudulently used, and now the ICO doesn't plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit.

    “What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free.

    “When you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting 'done' by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is.”

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

8 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago