Lush escapes fine over British data breach

Powered by SC Magazine

Took steps to protect data.

Soap retailer Lush has escaped financial penalty after being found in breach of Britain's Data Protection Act by the country's Information Commissioner's Office.

The privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company’s British website this year.

The breach, which Lush at the time said originated through a third-party email provider, occurred between October 2010 and January 2011.

Hackers were able to access the payment details of 5000 customers who had previously shopped on its website.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security," the watchdog's enforcement head Sally Anne Poole said.

The retailer’s methods of recording suspicious activity on its website were deemed insufficient, which delayed the time it took them to identify the security breach.

Lush were required to sign an undertaking to ensure that future customer credit card data would be processed in accordance with the Payment Card Industry Data Security Standard.

A spokesman for the watchdog said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

“The one they didn’t fulfil is failing to show they had taken reasonable steps to protect the data,” he said.

“They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy.”

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, committed the retailer to making sure it only stored the minimum amount of payment data necessary to receive payments, and that this information wasn't retained longer than necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer had to ensure that appropriate technical and organisational measures were employed and maintained.

The co-founder of security company SecurEnvoy, Steve Watts, said that the watchdog's action "does not send out the right message".

Lush also said back in February that its Australian and New Zealand websites were breached; however, it denied any link between that event and those that occurred in Britain.

Copyright © ITPro, Dennis Publishing

Lush escapes fine over British data breach
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx