Hacking victim Lush Cosmetics has taken its ticking-off from the Information Commissioners Office (ICO) to heart and appears to be making a determined effort not to get caught out again.
Lush fell foul of the ICO when its site was persistently hacked from October 2010 to January 2011. The attack resulted in an estimated 5,000 instances of customer’s personal and payment card details being exposed.
“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” commented Sally Anne Poole, acting head of enforcement for the ICO.
The ICO is now warning online retailers that they risk enforcement actions and fines if they do not adopt suitable security standards, such as those laid down by the Payment Card Industry (PCI) Data Security Standard (DSS).
Lush managing director Mark Constantine was not fined for the breach but has signed an undertaking that the company will take steps to ensure better security to PCI-DSS levels. This is running the company to the expense of completely redesigning its website and taking on the services of Worldpay to handle payments and card details storage.
Under the name of Tech Ed, the company has posted an explanation of its new security measures. In the online statement, the company says: “We’ve teamed up with Worldpay for our payment solution, because we don’t ever want Lush to be vulnerable to hackers stealing customers’ money and details again”.
The ethical cosmetics company’s site now has VeriSign Trusted status and is gradually restoring its temporary website to full working order again.
The ICO noted the actions taken and that played a part in the lenient decision. The government department stresses that the advice to ensure PCI-DSS compliance should have been followed.
“Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said. “This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”
The ICO has published a page of guidance for retail businesses that store customers’ personal information.
Although Lush avoided financial penalties, the next breach victims may not be so lucky. The ICO appears to be setting up a minimum requirement which will be used to assess the measures taken when dealing with future cases.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Steve Watts, co-founder of SecurEnvoy comments:
“It's said that 95 customers of the site had complained. But it's a fair bet that a lot more who didn't complain also had their card details fraudulently used, and now the ICO doesn't plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit.
“What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free.
“When you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting 'done' by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is.”