Lush breached Data Protection Act, ICO confirms

Computerworld UK, By Anh Nguyen, August 9, 2011

The Information Commissioner has found cosmetics retailer Lush in breach of the Data Protection Act (DPA) after the company’s website was hacked, exposing customers’ credit card details. In January, the company took down its website following persistent attacks by hackers, and warned all customers who placed online orders on the website between 4 October 2010 and 20 January 2011that their card details “may have been compromised”.  The ICO revealed that hackers were able to access the payment details of 5,000 customers. Lush only discovered the security issue in January after receiving complaints from 95 customers who had been the victim of card fraud. On investigation, the ICO found that while the company had measures in place to secure customers’ payment details, it did not have sufficient protection to prevent a determined attack on its website. Lush also failed to identify the security breach quickly due to insufficient methods for recording suspicious activity on its website.

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: