Cosmetics retailer hacking, lush pickings for speculation

Details of the  hacking of the website of cosmetics retailer, Lush, and theft of potentially thousands of customer banking details are still unknown, but that is not stopping security experts from speculating.

The retailer has promised a full external forensic investigation of the security breach to ensure improved protection for customers in future.
Therefore it would be unfair to accuse the firm of not having any commitment to safeguarding customer details, but what of the past?

Some 43 customers have had their cards used by fraudsters, the Daily Mail reported last week.

Some commentators have said that the incident clearly shows that Lush was in breach of  Payment Card Industry Data Security Standard (PCI DSS) compliance, but that is not necessarily true. Have they forgotten that  Heartland Payment Systems was PCI DSS compliant when it suffered a similar breach in 2009?

In a temporary holding page until a new website is ready, Lush is calling on all online customers who placed orders between 4th October 2010 and 20th January 2011 to
contact their banks for advice as their card details may have been compromised.

The fact that Lush knows the timeframe of the hacking activity, but does not know exactly how many customers were affected, implies that the company has some sort of audit during the attack, it does not have a solid audit trail that should provide concrete details of who was affected, says Noa Bar-Yosef, senior security strategist at security firm Imperva.

Whatever the cause, which hopefully will be revealed by the forensic investigation and shared publically, Lush will be in trouble with the Information Commissioner’s Office if the company failed to have in place suitable contracts with their website and IT systems operators, to police the security of their data regularly and to take prompt action if any breach is suspected, as required by the Data Protection Act.

The biggest failing, so far, appears to be that Lush took so long to notify its customers that there banking details may have been compromised. According to the Daily Mail, lush found out about the illegal activity on Christmas Day, yet admitted the breach only a month later.

Despite the lush online opportunities for selling goods, retailers should take this case as a serious warning that if their websites, contracts, technologies and procedures are not up to scratch, they could not only suffer a loss of reputation, but could also get the book thrown at them by the ICO, not to mention a monetary penalty of up to £500,000.