Lush escapes fine over British data breach

Powered by SC Magazine
 

Took steps to protect data.

Soap retailer Lush has escaped financial penalty after being found in breach of Britain's Data Protection Act by the country's Information Commissioner's Office.

The privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company’s British website this year.

The breach, which Lush at the time said originated through a third-party email provider, occurred between October 2010 and January 2011.

Hackers were able to access the payment details of 5000 customers who had previously shopped on its website.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security," the watchdog's enforcement head Sally Anne Poole said.

The retailer’s methods of recording suspicious activity on its website were deemed insufficient, which delayed the time it took them to identify the security breach.

Lush were required to sign an undertaking to ensure that future customer credit card data would be processed in accordance with the Payment Card Industry Data Security Standard.

A spokesman for the watchdog said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

“The one they didn’t fulfil is failing to show they had taken reasonable steps to protect the data,” he said.

“They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy.”

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, committed the retailer to making sure it only stored the minimum amount of payment data necessary to receive payments, and that this information wasn't retained longer than necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer had to ensure that appropriate technical and organisational measures were employed and maintained.

The co-founder of security company SecurEnvoy, Steve Watts, said that the watchdog's action "does not send out the right message".

Lush also said back in February that its Australian and New Zealand websites were breached; however, it denied any link between that event and those that occurred in Britain.

Copyright © ITPro, Dennis Publishing


Lush escapes fine over British data breach
 
 
 
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
 
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
 
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3920

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1331

Vote