IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lush escapes fine after data breach

Retailer signs undertaking as ICO warns retailers that online security must be a priority,

data loss

Cosmetics retailer Lush has been found in breach the Data Protection Act (DPA), the Information Commissioner's Office (ICO) has said.

The Government data and privacy watchdog issued its findings from an investigation carried out into the theft of customer data from the company's UK-based website this January.

The breach, which Lush at the time said originated via a third-party email provider, occurred between October 2010 and January 2011. Hackers were able to access the payment details of 5,000 customers who had previously shopped on its website.

Sally Anne Poole, the ICO acting head of enforcement, stated: "Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security."

The retailer's methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

The ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.

But it fell short of issuing any monetary penalty, even though it can hand out fines of up 500,000 as part of its DPA enforcement powers. It emerged earlier this year that the watchdog had fined less than one per cent of the breaches it investigates.

Instead the ICO warned online retailers to adopt with the industry standard or provide equivalent protection when processing customers' credit card details.

"If they do not they risk enforcement action from the ICO," Poole added. "With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals."

An ICO spokesperson also said the breach at Lush fell short of fulfilling the required criteria to receive a fine.

"The one they didn't fulfil is failing to show they had taken reasonable steps to protect the data," he told IT Pro. "They did take reasonable steps, but were subject to a sustained, coordinated and targeted attack. They have also taken a lot of action on their website since to safeguard privacy."

The undertaking signed by managing director of Lush Cosmetics, Mark Constantine, commits the retailer to making sure it only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.

All future payments must also be managed by an external PCI DSS-compliant provider and the retailer has to also make sure that appropriate technical and organisational measures are employed and maintained.

"The key issue here is that the ICO only required the retailer to agree to adhere to the provisions of the PCI DSS rules and NOT to the provisions of the Data Protection Act, as has been the case in most other situations where the ICO has investigated a data breach or similar attack in a public or private sector organisation," said Steve Watts, co-founder of two-factor tokenless authentication provider SecurEnvoy.

"My understanding is that, if a subsequent breach of the Data Protection Act occurs, then the ICO will not be able to say that it warned the retailer previously. Obviously there may be informal discussions along these lines that may have taken place between the ICO and the retailer, but for the purposes of the DPA in relation to this clear breach, the tragedy is that nothing formal has been said."

He concluded; "Based on these facts, and the ICO's track record on imposing penalties, this does not send out the right message."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021
Celebrity data leaked after ransomware attack on London's Graff jewellers
ransomware

Celebrity data leaked after ransomware attack on London's Graff jewellers

1 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022