Lush Hack Leads ICO To Warn Other Online Retailers

Hacking victim Lush Cosmetics has taken its ticking-off from the Information Commissioners Office (ICO) to heart and appears to be making a determined effort not to get caught out again.

Lush fell foul of the ICO when its site was persistently hacked from October 2010 to January 2011. The attack resulted in an estimated 5,000 instances of customer’s personal and payment card details being exposed.

The breach was uncovered after 95 customers complained they had been victims of card fraud. Despite Lush having security in place, the company failed to perform regular security checks, such as the recording of suspicious activity on the website. This also delayed the identification of the cause of the breach.

Urgent Website Redesign Underway

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” commented Sally Anne Poole, acting head of enforcement for the ICO.

The ICO is now warning online retailers that they risk enforcement actions and fines if they do not adopt suitable security standards, such as those laid down by the Payment Card Industry (PCI) Data Security Standard (DSS).

Lush managing director Mark Constantine was not fined for the breach but has signed an undertaking that the company will take steps to ensure better security to PCI-DSS levels. This is running the company to the expense of completely redesigning its website and taking on the services of Worldpay to handle payments and card details storage.

Under the name of Tech Ed, the company has posted an explanation of its new security measures. In the online statement, the company says: “We’ve teamed up with Worldpay for our payment solution, because we don’t ever want Lush to be vulnerable to hackers stealing customers’ money and details again”.

The ethical cosmetics company’s site now has VeriSign Trusted status and is gradually restoring its temporary website to full working order again.

The ICO noted the actions taken and that played a part in the lenient decision. The government department stresses that the advice to ensure PCI-DSS compliance should have been followed.

“Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said. “This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

The ICO has published a page of guidance for retail businesses that store customers’ personal information.

Although Lush avoided financial penalties, the next breach victims may not be so lucky. The ICO appears to be setting up a minimum requirement which will be used to assess the measures taken when dealing with future cases.