Lush signs undertaking with the ICO following data breach

By Robert Shepherd
10 Aug 2011 View Comments
An image of Lush cosmetics

Retailer Lush Cosmetics has signed an undertaking with the ICO after a data breach allowed hackers to access the payment details of 5,000 of its customers.

The terms of the undertaking have committed Lush to taking several steps, including only storing the minimum amount of payment data necessary to receive payments. The company must also ensure that this information is not kept for longer than necessary.

Further reading

In addition, all future payments will be managed by an external provider compliant with the Payment Card Industry Data Security Standard. The retailer must also make sure that appropriate technical and organisational measures are employed and maintained.

Following the breach, in January this year, Lush warned customers who had placed online orders between 4 October 2010 and 20 January 2011 to contact their banks as their card details may have been stolen.

Lush was forced to close its web site because of continued attempts by hackers to access customer data.

The ICO has also warned online retailers that failure to adopt this standard or provide equivalent protection when processing customers' credit card details could result in more enforcement action.

The investigation found that, although Lush had measures in place to keep customers' payment details secure, they were not sufficient to prevent ongoing attacks on its website. Lush's methods of recording suspicious activity on its website were also insufficient, which prolonged the time it took the company to identify the security breach.

"With more than 31m people having shopped online last year, retailers must recognise the value of the information that they hold and that their web sites are a potential target for criminals," said ICO's acting head of enforcement, Sally Anne Poole.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

38 %
26 %
15 %
21 %