We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Lush breached Data Protection Act, ICO confirms

Payment details of 5,000 customers were compromised in persistent hacking attack

The Information Commissioner has found cosmetics retailer Lush in breach of the Data Protection Act (DPA) after the company's website was hacked, exposing customers' credit card details.

In January, the company took down its website following persistent attacks by hackers, and warned all customers who placed online orders on the website between 4 October 2010 and 20 January 2011that their card details "may have been compromised".

The ICO revealed that hackers were able to access the payment details of 5,000 customers. Lush only discovered the security issue in January after receiving complaints from 95 customers who had been the victim of card fraud.

On investigation, the ICO found that while the company had measures in place to secure customers' payment details, it did not have sufficient protection to prevent a determined attack on its website. Lush also failed to identify the security breach quickly due to insufficient methods for recording suspicious activity on its website.

"Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security.

"This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times."

Lush has now signed an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). To this end, it has chosen a compliant external provider to process all future payments.

In addition, the company will ensure that it only stores the minimum amount of payment data necessary to receive payments, and that this information is only kept for as long as is necessary.

IDG UK Sites

Samsung Galaxy S6 launch as it happened: Galaxy S6 launch video and live blog - watch again as...

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...