Natural cosmetics retailer Lush has avoided a fine by the
Information Commissioner’s Office (ICO) in relation to a security
breach on its website between October 2010 and January 2011. The
ICO found Lush to be in breach of the Data Protection Act and
that its measures to keep customers’ payment details secure and
monitor suspicious activity were insufficient.
In January, a hacker brought the Lush website to its knees,
compromising the security of sensitive customer information.
After receiving complaints from 95 customers who had been victims
of card fraud, Lush took the site offline. The attack affected
customers who placed online orders with Lush from 4th October
2010. Following the breach, Lush set up a temporary website
taking customers away from its site through to the bank’s server,
where payment is taken.
As a result of the breach, the ICO has required Lush’s managing
director Mark Constantine to sign an undertaking promising that
“appropriate technical and organisational measures are
employed, and maintained, to prevent the unlawful processing of
customer data, particularly within web-based systems”. Lush
must also store just the minimum amount of personal data on
customers and this will be kept for no longer than is necessary.
Further, Lush must ensure that all future payment processing is
PCI-compliant.
Commenting on the ruling, Lush issued a statement apologising for
the distress caused to customers. It said it was working on a new
site, due to launch in September, that will have “a range
of security measures which exceed the requirements of the Payment
Card Industry Data Security Standard (PCI DSS), as well as a
range of third-party specialist security services in
place.”
Share