Lush signs undertaking with the ICO following data breach

Company only allowed to store the minimum amount of data necessary to receive payments

Retailer Lush Cosmetics has signed an undertaking with the ICO after a data breach allowed hackers to access the payment details of 5,000 of its customers.

The terms of the undertaking have committed Lush to taking several steps, including only storing the minimum amount of payment data necessary to receive payments. The company must also ensure that this information is not kept for longer than necessary.

In addition, all future payments will be managed by an external provider compliant with the Payment Card Industry Data Security Standard. The retailer must also make sure that appropriate technical and organisational measures are employed and maintained.

Following the breach, in January this year, Lush warned customers who had placed online orders between 4 October 2010 and 20 January 2011 to contact their banks as their card details may have been stolen.

Lush was forced to close its web site because of continued attempts by hackers to access customer data.

The ICO has also warned online retailers that failure to adopt this standard or provide equivalent protection when processing customers' credit card details could result in more enforcement action.

The investigation found that, although Lush had measures in place to keep customers' payment details secure, they were not sufficient to prevent ongoing attacks on its website. Lush's methods of recording suspicious activity on its website were also insufficient, which prolonged the time it took the company to identify the security breach.

"With more than 31m people having shopped online last year, retailers must recognise the value of the information that they hold and that their web sites are a potential target for criminals," said ICO's acting head of enforcement, Sally Anne Poole.