Lush escapes fine over British data breach

Soap retailer Lush has escaped financial penalty after being found in breach of Britain's Data Protection Act by the country's Information Commissioner's Office.

The privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company’s British website this year.

The breach, which Lush at the time said originated through a third-party email provider, occurred between October 2010 and January 2011.

Hackers were able to access the payment details of 5000 customers who had previously shopped on its website.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security," the watchdog's enforcement head Sally Anne Poole said.

The retailer’s methods of recording suspicious activity on its website were deemed insufficient, which delayed the time it took them to identify the security breach.

Lush were required to sign an undertaking to ensure that future customer credit card data would be processed in accordance with the Payment Card Industry Data Security Standard.

A spokesman for the watchdog said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

“The one they didn’t fulfil is failing to show they had taken reasonable steps to protect the data,” he said.

“They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy.”

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, committed the retailer to making sure it only stored the minimum amount of payment data necessary to receive payments, and that this information wasn't retained longer than necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer had to ensure that appropriate technical and organisational measures were employed and maintained.

The co-founder of security company SecurEnvoy, Steve Watts, said that the watchdog's action "does not send out the right message".

Lush also said back in February that its Australian and New Zealand websites were breached; however, it denied any link between that event and those that occurred in Britain.