Lush Hack Leads ICO To Warn Other Online Retailers

Hacking victim Lush Cosmetics has taken its ticking-off from the Information Commissioners Office (ICO) to heart and appears to be making a determined effort not to get caught out again.

Lush fell foul of the ICO when its site was persistently hacked from October 2010 to January 2011. The attack resulted in an estimated 5,000 instances of customer’s personal and payment card details being exposed.

The breach was uncovered after 95 customers complained they had been victims of card fraud. Despite Lush having security in place, the company failed to perform regular security checks, such as the recording of suspicious activity on the website. This also delayed the identification of the cause of the breach.

Urgent Website Redesign Underway

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” commented Sally Anne Poole, acting head of enforcement for the ICO.

The ICO is now warning online retailers that they risk enforcement actions and fines if they do not adopt suitable security standards, such as those laid down by the Payment Card Industry (PCI) Data Security Standard (DSS).

Lush managing director Mark Constantine was not fined for the breach but has signed an undertaking that the company will take steps to ensure better security to PCI-DSS levels. This is running the company to the expense of completely redesigning its website and taking on the services of Worldpay to handle payments and card details storage.

Under the name of Tech Ed, the company has posted an explanation of its new security measures. In the online statement, the company says: “We’ve teamed up with Worldpay for our payment solution, because we don’t ever want Lush to be vulnerable to hackers stealing customers’ money and details again”.

The ethical cosmetics company’s site now has VeriSign Trusted status and is gradually restoring its temporary website to full working order again.

The ICO noted the actions taken and that played a part in the lenient decision. The government department stresses that the advice to ensure PCI-DSS compliance should have been followed.

“Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said. “This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

The ICO has published a page of guidance for retail businesses that store customers’ personal information.

Although Lush avoided financial penalties, the next breach victims may not be so lucky. The ICO appears to be setting up a minimum requirement which will be used to assess the measures taken when dealing with future cases.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • Steve Watts, co-founder of SecurEnvoy comments:

    “It's said that 95 customers of the site had complained. But it's a fair bet that a lot more who didn't complain also had their card details fraudulently used, and now the ICO doesn't plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit.

    “What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free.

    “When you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting 'done' by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is.”

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

18 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

19 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

19 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

20 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

20 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

21 hours ago