Security Breach Sends Card Data to Third-parties

Jay Decenella, IT audit expert
August 10, 2011 /

Cosmetics retailer Lush violated the Data Protection Act after the security of its website was compromised for a four month period resulting in the exposure of card data of its customers, the Information Commissioner’s Office (ICO) said.

The breach, which occurred between October 2010 and January 2011, suggested that hackers may have accessed the payment details of 5,000 customers who had previously shopped on the company’s website.

Online shopping into its website was immediately suspended January 21 following complaints from customers on its Facebook page of the security breach.

THe security breach has pushed the ICO to require Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.

The ICO warned online retailers to adopt this standard, or provide equivalent protection when processing customers’ credit card details, to avoid the risk of enforcement action from the ICO.

Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making inquiries, Lush found that the website had been subject to a hacking incident which  allowed hackers to access their customers’ payment details.

The security of Lush’s website was immediately restored after revealing the breach.

The ICO’s investigation found that the security measures put in place by Lush to keep customers’ payment details secure, have been insufficient to prevent a determined attack on their website.

“The retailer’s methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach,” the ICO said.

Acting Head of Enforcement, Sally Anne Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security.

“Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back.

“This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

Mark Constantine, Managing Director of Lush Cosmetics Ltd, has signed an undertaking binding the retailer to taking necessary steps, including the need for the company to only store the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.

All future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard. Lush will also make sure that appropriate technical and organisational measures are employed and maintained.


Share your opinion

SEO Powered By SEOPressor