The Information Commissioner has found cosmetics retailer Lush in breach of the Data Protection Act (DPA) after the company’s website was hacked, exposing customers’ credit card details.
In January, the company took down its website following persistent attacks by hackers, and warned all customers who placed online orders on the website between 4 October 2010 and 20 January 2011that their card details “may have been compromised”.
The ICO revealed that hackers were able to access the payment details of 5,000 customers. Lush only discovered the security issue in January after receiving complaints from 95 customers who had been the victim of card fraud.
On investigation, the ICO found that while the company had measures in place to secure customers’ payment details, it did not have sufficient protection to prevent a determined attack on its website. Lush also failed to identify the security breach quickly due to insufficient methods for recording suspicious activity on its website.
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security.
“This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”
Lush has now signed an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). To this end, it has chosen a compliant external provider to process all future payments.
In addition, the company will ensure that it only stores the minimum amount of payment data necessary to receive payments, and that this information is only kept for as long as is necessary.