Cosmetics retailer Lush breached the data protection act after failing to protect customer data for four months, the Information Commissioner’s Office (ICO) has said.

The ICO has warned retailers they risk enforcement action if they don’t do enough to protect customer details from hackers.

The breach occurred between October 2010 and January 2011 and meant that 5,000 customers had their details accessed by hackers.

The retailer’s managing director Mark Constantine signed an undertaking to make sure that in future customer data is processed according to Payment Card Industry Data Security Standard (PCIDSS) regulations.

The problem was discovered after Lush received complaints from 95 customers who had been the victim of card fraud. It found the site had been the victim of hackers who had been able to access the data for four months, and it immediately improved its security.

The retailer had some security measures in place but they weren’t strong enough, the ICO said, and the company failed to monitor suspicious activity on the site.

Acting Head of Enforcement at the ICO Sally Anne Poole said: “Retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back.”