Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

UK data watchdog warns retailers to neglect sensitive data gathered online at their peril

UK data watchdog warns retailers to neglect sensitive data gathered online at their peril

 

Cosmetics retailer Lush breached the Data Protection Act after the security of its website was compromised for a four month period, the Information Commissioner’s Office (ICO) said today.

 

The breach, which occurred between October 2010 and January 2011, meant that hackers were able to access the payment details of 5,000 customers who had previously shopped on the company’s website.

 

As a result of the breach, the ICO has required Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

 

The ICO also took the opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO.

 

Sustained and targeted attack

 

Lush discovered the security lapse in January 2011 after receiving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush found out that their website had been subject to a hacking incident which had allowed hackers to access their customers’ payment details. On uncovering the incident, the ICO said the security of Lush’s website was immediately restored.

 

The ICO’s investigation found that, although the company had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on their website. The retailer’s methods of recording suspicious activity on their website were also insufficient, which delayed the time it took them to identify the security breach.

 

Sally Anne Poole, ICO acting head of enforcement, said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

 

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

 

Mark Constantine, managing director of Lush Cosmetics, has signed an undertaking committing the retailer to taking necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary. All future payments will also be managed by an external provider compliant with the Payment Card Industry Data Security Standard and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.

 

Undertaking not enough

 

According to Steve Watts, co-founder of the two-factor tokenless authentication specialist SecurEnvoy, the decision not to impose a fine on Lush sends out the wrong message.

 

“What we have here is a major e-commerce web portal – run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free,” he said.

 

This, said the SecurEnvoy co-founder, shows how crass the UK's data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.

 

And now we learn that all the ICO requires is a signed undertaking that its customer card data will be processed in accordance with the PCI Data Security Standard, and that the ICO is warning other retailers that, if they do not abide by the same rules they risk enforcement action, he noted.

 

“But then, when you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting `done' by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal,” he said.