Cosmetics retailer Lush breached the data protection act after failing to protect customer data for four months, the Information Commissioner’s Office (ICO) has said.