Privacy & Information Security Law Blog

Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998.  Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”

After customers reported 95 complaints claiming that they had been the victim of credit card fraud, Lush discovered that its website had been repeatedly hacked into over a four month period between October 2010 and January 2011.  During this time, hackers were able to the access payment card details of more than 5,000 Lush customers who had previously used the company’s website.

While Lush had certain measures in place to protect customer data, the ICO found that the measures were “not sufficient to prevent a determined attack on their website.”  The ICO also found that Lush had failed to fully comply with the Payment Card Industry Data Security Standard (“PCI DSS”).  If Lush had done so, the ICO stated that, “it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back."

The ICO has used this incident as an opportunity to warn retailers that online security must be taken seriously.  Sally Anne Poole, the Acting Head of Enforcement at the ICO, noted that, with over 31 million online shoppers in the UK, “retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.”  She added that “the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the undertaking, Lush has committed to taking certain steps, which include ensuring that it (1) stores only the minimum amount of personal data necessary to process payments, (2) retains such personal data no longer than is necessary, and (3) implements and maintains appropriate technical and organizational safeguards.  Lush is overhauling its website and has appointed a PCI DSS-compliant service provider to manage all future payment processing.