E-tailers warned to tighten security

Online retailers have been warned to make customer data security their top priority – or face enforcement action – after an Information Commissioner’s Office probe found that cosmetics firm Lush did not do enough to prevent a sustained hack attack.
Following the breach, which resulted in 5,000 customers having their details stolen, the firm has been forced to has sign an undertaking with the ICO. This includes the provision that all future payments must be managed by an external provider compliant with the Payment Card Industry Data Security Standard. It is also only permitted to store the minimum amount of data necessary to receive payments.
Lush warned customers who had placed online orders between October 4 2010 and January 20 2011 to contact their banks as their card details may have been stolen. The company was forced to close its website because of continued attempts by hackers to access customer data.
The investigation found that, although Lush had measures in place to keep customers’ payment details secure, they were not sufficient to prevent ongoing attacks on its website. Lush’s methods of recording suspicious activity on its website were also insufficient, which prolonged the time it took the company to identify the security breach.
Acting head of enforcement Sally Anne Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had it done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back.
“This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

Related stories
Lush scraps site after data breach
Ten tips to prevent a data breach…
ID data on thousands left in pub
Cost of hack attack soars 70%