Related Links
News
September 2011
Retailers warned over online security
Businesses have been urged to do more to protect customers’ data after hackers were able to access the payment details of thousands of customers of cosmetics and toiletries retailer Lush.
Lush breached the Data Protection Act after the security of its website was compromised for four months, the Information Commissioner’s Office (ICO) said.
The breach, which occurred between October 2010 and January 2011, meant that hackers were able to access the payment details of 5,000 customers who had previously shopped on the Lush website.
The ICO announced on 9 August that it has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.
It also warned online retailers who do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, that they risk enforcement action from the ICO.
Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush found that its website had been subject to a hacking incident that had allowed hackers to access customers’ payment details. The security of the website was then immediately restored.
The ICO’s investigation found that, although Lush had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on their website. The retailer’s methods of recording suspicious activity on their website were also insufficient, delaying the time it took the company to identify the security breach.
ICO acting head of enforcement Sally Anne Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
“This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”
LINK: PCI Security Standards Council
