Lush launches new site after security breach

Natural cosmetics retailer Lush has avoided a fine by the Information Commissioner’s Office (ICO) in relation to a security breach on its website between October 2010 and January 2011. The ICO found Lush to be in breach of the Data Protection Act and that its measures to keep customers’ payment details secure and monitor suspicious activity were insufficient.

In January, a hacker brought the Lush website to its knees, compromising the security of sensitive customer information. After receiving complaints from 95 customers who had been victims of card fraud, Lush took the site offline. The attack affected customers who placed online orders with Lush from 4th October 2010. Following the breach, Lush set up a temporary website taking customers away from its site through to the bank’s server, where payment is taken.

As a result of the breach, the ICO has required Lush’s managing director Mark Constantine to sign an undertaking promising that “appropriate technical and organisational measures are employed, and maintained, to prevent the unlawful processing of customer data, particularly within web-based systems”. Lush must also store just the minimum amount of personal data on customers and this will be kept for no longer than is necessary. Further, Lush must ensure that all future payment processing is PCI-compliant.

Commenting on the ruling, Lush issued a statement apologising for the distress caused to customers. It said it was working on a new site, due to launch in September, that will have “a range of security measures which exceed the requirements of the Payment Card Industry Data Security Standard (PCI DSS), as well as a range of third-party specialist security services in place.”