The Information Commissioner's Office (ICO) has decided not to punish cosmetics group Lush for a major hack of its online trading site from October 2010 to January 2011.
The ICO found the company guilty of breaching the Data Protection Act by failing to keep customer data safe, but stopped short of imposing a monetary penalty.
Instead, Lush has signed an undertaking to prevent further data breaches by ensuring customer credit card data is processed in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
The hack exposed the payment details of 5,000 customers who had previously shopped on the company's website.
At the time the hack was exposed, some industry analysts expected the ICO to impose a monetary penalty, but the privacy watchdog found that although the company had measures in place to keep customers' payment details secure, they were not sufficient to prevent a determined attack on its website.
The ICO also found that the retailer's methods of recording suspicious activity on its website were insufficient, which delayed the time it took to identify the security breach. Lush took four months to uncover the security breach, and did so only after receiving complaints from 95 customers who had been victims of card fraud.
"Lush took some steps to protect its customers' data, but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had it done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back," said Sally Anne Poole, acting head of enforcement at the ICO.
This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times, she said.
Mark Constantine, managing director of Lush has signed an undertaking committing the retailer to take necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.
All future payments will be managed by an external provider compliant with the PCI DSS, and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.
- Information security skills in high demand for 2011
- PCI DSS v2.0: How does it affect your web application security testing?
- UK companies must heed Sun hack warning, say security experts
- Cybercrime automation demands new response and new skills
- Case study: Combining PCI DSS Compliance with Unprecedented IT System Analysis Capabilities
- Infosec 2011: PCI DSS compliance has positive impact on data security, study finds