Cosmetics retailer Lush breached the data protection act after failing to protect customer data for four months, the Information Commissionerâs Office (ICO) has said.
The ICO has warned retailers they risk enforcement action if they donât do enough to protect customer details from hackers.
The breach occurred between October 2010 and January 2011 and meant that 5,000 customers had their details accessed by hackers.
The retailerâs managing director Mark Constantine signed an undertaking to make sure that in future customer data is processed according to Payment Card Industry Data Security Standard (PCIDSS) regulations.
The problem was discovered after Lush received complaints from 95 customers who had been the victim of card fraud. It found the site had been the victim of hackers who had been able to access the data for four months, and it immediately improved its security.
The retailer had some security measures in place but they werenât strong enough, the ICO said, and the company failed to monitor suspicious activity on the site.
Acting Head of Enforcement at the ICO Sally Anne Poole said: âRetailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
âLush took some steps to protect their customersâ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back.â
No comments yet