Lush escapes fine over British data breach

Powered by SC Magazine
 

Took steps to protect data.

Soap retailer Lush has escaped financial penalty after being found in breach of Britain's Data Protection Act by the country's Information Commissioner's Office.

The privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company’s British website this year.

The breach, which Lush at the time said originated through a third-party email provider, occurred between October 2010 and January 2011.

Hackers were able to access the payment details of 5000 customers who had previously shopped on its website.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security," the watchdog's enforcement head Sally Anne Poole said.

The retailer’s methods of recording suspicious activity on its website were deemed insufficient, which delayed the time it took them to identify the security breach.

Lush were required to sign an undertaking to ensure that future customer credit card data would be processed in accordance with the Payment Card Industry Data Security Standard.

A spokesman for the watchdog said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

“The one they didn’t fulfil is failing to show they had taken reasonable steps to protect the data,” he said.

“They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy.”

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, committed the retailer to making sure it only stored the minimum amount of payment data necessary to receive payments, and that this information wasn't retained longer than necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer had to ensure that appropriate technical and organisational measures were employed and maintained.

The co-founder of security company SecurEnvoy, Steve Watts, said that the watchdog's action "does not send out the right message".

Lush also said back in February that its Australian and New Zealand websites were breached; however, it denied any link between that event and those that occurred in Britain.

Copyright © ITPro, Dennis Publishing


Lush escapes fine over British data breach
 
 
 
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 321

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 126

Vote