Lush escapes fine after data breach

data loss

Cosmetics retailer Lush has been found in breach the Data Protection Act (DPA), the Information Commissioner's Office (ICO) has said.

The Government data and privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company's UK-based website this January.

The breach, which Lush at the time said originated via a third-party email provider, occurred between October 2010 and January 2011. Hackers were able to access the payment details of 5,000 customers who had previously shopped on its website.

Sally Anne Poole, the ICO acting head of enforcement, stated: "Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security."

The retailer's methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

The ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.

But it fell short of issuing any monetary penalty, even though it can hand out fines of up 500,000 as part of its DPA enforcement powers. It emerged earlier this year that the watchdog had fined less than one per cent of the breaches it investigates.

Instead the ICO warned online retailers to adopt with the industry standard or provide equivalent protection when processing customers' credit card details.

"If they do not they risk enforcement action from the ICO," Poole added. "With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals."

An ICO spokesperson also said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

"The one they didn't fulfil is failing to show they had taken reasonable steps to protect the data," he told IT Pro. "They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy."

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, commits the retailer to making sure it only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer has to also make sure that appropriate technical and organisational measures are employed and maintained.

"The key issue here is that the ICO only required the retailer to agree to adhere to the provisions of the PCI DSS rules and NOT to the provisions of the Data Protection Act, as has been the case in most other situations where the ICO has investigated a data breach or similar attack in a public or private sector organisation," said Steve Watts, co-founder of two-factor tokenless authentication provider SecurEnvoy.

"My understanding is that, if a subsequent breach of the Data Protection Act occurs, then the ICO will not be able to say that it warned the retailer previously. Obviously there may be informal discussions along these lines that may have taken place between the ICO and the retailer, but for the purposes of the DPA in relation to this clear breach, the tragedy is that nothing formal has been said."

He concluded; "Based on these facts, and the ICO's track record on imposing penalties, this does not send out the right message."

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.