Cosmetics retailer narrowly misses huge fine from ICO
Cosmetics retailer Lush has narrowly escaped a hefty fine from the Information Commissioner after its website was hacked and customer account and credit card details stolen
The breach of the Data Protection Act and Lush's failure to process card details in accordance with the Payment Card Industry Data Security Standard mean 95 customers became victims of card fraud.
However in order to issue a fine the Information Commissioner's Office (ICO) must be satisfied that certain principles have been breached. Although an extremely serious case, Lush managed to evade a fine because it had taken some action
"A monetary penalty was not issued to Lush because we could not show that they ‘failed to take reasonable steps to prevent the contravention," the ICO told us.
The cosmetic company's website was compromised for four months between October 2010 and January 2011. Hackers were able to access the payment details of 5,000 customers who had previously shopped on the company's website. The company only discovered the breach after customers complained that their credit card details had been used fraudulently.
The ICO's investigation found that, although the company had measures in place to keep customers' payment details secure, they were not sufficient to prevent a determined attack on their website.
It said that Lush's methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.
ICO Acting Head of Enforcement Sally Anne Poole said:
"Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back.
She went on to say that retailers had to recognise the value of the information they hold and realise that "their websites are a potential target for criminals."
Lush has now signed an undertaking to take the necessary security steps. It must also ensure that it only stores the minimum amount of payment data necessary to receive payments. In addition all future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard
Updating your subscription status