Lush escapes fine after data breach

Retailer signs undertaking as ICO warns retailers that online security must be a priority,

data loss

Cosmetics retailer Lush has been found in breach the Data Protection Act (DPA), the Information Commissioner's Office (ICO) has said.

The Government data and privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company's UK-based website this January.

The breach, which Lush at the time said originated via a third-party email provider, occurred between October 2010 and January 2011. Hackers were able to access the payment details of 5,000 customers who had previously shopped on its website.

Sally Anne Poole, the ICO acting head of enforcement, stated: "Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security."

The retailer's methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

The ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.

But it fell short of issuing any monetary penalty, even though it can hand out fines of up 500,000 as part of its DPA enforcement powers. It emerged earlier this year that the watchdog had fined less than one per cent of the breaches it investigates.

Instead the ICO warned online retailers to adopt with the industry standard or provide equivalent protection when processing customers' credit card details.

"If they do not they risk enforcement action from the ICO," Poole added. "With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals."

An ICO spokesperson also said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

"The one they didn't fulfil is failing to show they had taken reasonable steps to protect the data," he told IT Pro. "They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy."

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, commits the retailer to making sure it only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer has to also make sure that appropriate technical and organisational measures are employed and maintained.

"The key issue here is that the ICO only required the retailer to agree to adhere to the provisions of the PCI DSS rules and NOT to the provisions of the Data Protection Act, as has been the case in most other situations where the ICO has investigated a data breach or similar attack in a public or private sector organisation," said Steve Watts, co-founder of two-factor tokenless authentication provider SecurEnvoy.

"My understanding is that, if a subsequent breach of the Data Protection Act occurs, then the ICO will not be able to say that it warned the retailer previously. Obviously there may be informal discussions along these lines that may have taken place between the ICO and the retailer, but for the purposes of the DPA in relation to this clear breach, the tragedy is that nothing formal has been said."

He concluded; "Based on these facts, and the ICO's track record on imposing penalties, this does not send out the right message."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download


ICO launches AI risk assessment toolkit for businesses
Information Commissioner

ICO launches AI risk assessment toolkit for businesses

21 Jul 2021
What is the Information Commissioner’s Office (ICO)?
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

15 Jul 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021