ICO ruling on Lush site hack “sends out the wrong message” to IT security community

In its ruling, the ICO says that the breach – which occurred between October 2010 and January 2011 – meant that hackers were able to access the payment details of 5,000 customers who had previously shopped on the company’s website.

And it has, says the ICO, resulted in Lush signing “an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”

“The ICO is taking this opportunity to warn online retailers that if they do not adopt this standard, or provide equivalent protection when processing customers’ credit card details, they risk enforcement action from the ICO”, said the agency's press statement.

As reported previously by Infosecurity at the start of the year, Lush said that anyone who has used a card on its website between October 20 and January 21 should contact their bank, to check their card details have not been compromised.

The Facebook site of Lush has been filled with comments from angry customers, whilst Trend Micro security researcher Rik Ferguson said that he was initially alerted to the hack by one of his friends, whose card – along with that of her husband – had been misused to the tune of almost £6000.

"The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality", he said on his Countermeasures security blog in January.

What appears to have puzzled the IT security community, Infosecurity notes, is the fact that Lush has not been asked to sign an undertaking to adhere to protect its customer data under the provisions of the Data Protection Act.

That, and the fact that no penalties have been applied, has sent the wrong message, claims SecurEnvoy, the tokenless authentication specialist, where Steve Watts, the firm's co-founder, noted that 95 customers of the site had complained.

“But it's a fair bet that a lot more who didn't complain also had their card details fraudulently used, and now the ICO doesn't plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit”, he said.

“What we have here is a major e-commerce web portal – run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free”, he added.

This, says the SecurEnvoy co-founder, shows how crass the UK's data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.

Lush's IT security staff, he went on to say, must be quietly laughing up their sleeves, having seen their employer escape from a fine that could have been measured in six figures.

Watts explained that his colleagues over at ViaSat announced their own research at the Infosecurity Europe show back in April and found that the ICO had used its powers in fewer than 1 in 500 data breach cases.

“Out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties. The situation with Lush is therefore in keeping with this strategy, but it still makes a mockery of the Data Protection Act”, he said.

What’s Hot on Infosecurity Magazine?