Lush escapes fine over British data breach

Powered by SC Magazine
 

Took steps to protect data.

Soap retailer Lush has escaped financial penalty after being found in breach of Britain's Data Protection Act by the country's Information Commissioner's Office.

The privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company’s British website this year.

The breach, which Lush at the time said originated through a third-party email provider, occurred between October 2010 and January 2011.

Hackers were able to access the payment details of 5000 customers who had previously shopped on its website.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security," the watchdog's enforcement head Sally Anne Poole said.

The retailer’s methods of recording suspicious activity on its website were deemed insufficient, which delayed the time it took them to identify the security breach.

Lush were required to sign an undertaking to ensure that future customer credit card data would be processed in accordance with the Payment Card Industry Data Security Standard.

A spokesman for the watchdog said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

“The one they didn’t fulfil is failing to show they had taken reasonable steps to protect the data,” he said.

“They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy.”

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, committed the retailer to making sure it only stored the minimum amount of payment data necessary to receive payments, and that this information wasn't retained longer than necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer had to ensure that appropriate technical and organisational measures were employed and maintained.

The co-founder of security company SecurEnvoy, Steve Watts, said that the watchdog's action "does not send out the right message".

Lush also said back in February that its Australian and New Zealand websites were breached; however, it denied any link between that event and those that occurred in Britain.

Copyright © ITPro, Dennis Publishing


Lush escapes fine over British data breach
 
 
 
Top Stories
Abbott brings back Science minister in cabinet reshuffle
Science tacked onto to Industry title.
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1905

Vote
Do you support the abolition of the Office of the Information Commissioner?