Security breach could cost cosmetics firm


Security breach could cost cosmetics firm

Simon Quicke

Those wondering what the implications are for failing to uphold PCI DSS security guidelines around credit card transactions might have their curiosity satisfied if soap retailer Lush gets hauled over the coals.

The high-street organic cosmetics firm has revealed that it was hacked back in October but only let customers into the secret last week, with some now reporting that they have been the victims of fraudulent credit card activity.

The consequences for Lush include fines from the Information Commissioner's Office for failing to safeguard customer data but it could also kick-start an investigation by PCI DSS body the Payment Card Industry Security Standards Forum.

"This looks like a prime example of how not to handle a serious data security incident. Not only has the retailer alienated large numbers of customers, but it could also pay penalties on several fronts," said Phil Lieberman, president of Lieberman Software.

He added that their had already been damage done to Lush's reputation and social forums including Facebook were full of comments from disgruntled customers.

Lush has now taken its website down and apologised to customers and left this message for the hacker: "our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'."

The most recent set of PCI DSS guidelines came into force last autumn and the largest merchants had to meet a raft of PCI requirements before the standard to protect data is rolled out to smaller retailers.

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.