ICO chooses not to fine Lush for data breach


ICO chooses not to fine Lush for data breach

Simon Quicke

The Information Commissioner's Office (ICO) has been accused again of being a toothless tiger after it opted not to fine the cosmetics firm Lush after a data breach that lasted for four months at the tail-end of last year.

The ICO has already been criticised for failing to hand out enough fines and use its muscle to deter those those take a lax attitude to protecting sensitive customer data and following the Lush decision some in the security industry have voiced concerns that the wrong message is being sent to the corporate community.

As a result of the breach, which lasted from October last year until January, meant that 5,000 customers who had previously shopped on the retailers website had their details exposed to hackers.

The ICO has the right to fine a firm caught in that sort of breach up to £500,000 but all it has chosen to do in this case is to get Lush to sign an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry (PCI) data security standard.

Acting head of enforcement at the ICO Sally Anne Poole said that it was going to use the case to warn other retailers over the need to ensure data was protected.

"Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back," she said.

"This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI data security standard or an equivalent must be followed at all times," she added.

But the decision not to fine Lush has been seen as a missed opportunity to flex some muscle and send a stronger message with Steve Watts, co-founder of SecurEnvoy frustrated with the outcome of the case.

"What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally - that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free," he added.

The ICO came in for strong criticism earlier this year. A freedom of information request made by ViaSat revealed that from the moment last year on 6 April, when the ICO was given the powers to impose fines of up to £500,000, until 22 march this year 2,565 breaches were reported. But in that period of almost a year only 37 resulted in action from the ICO, with just four ending up in fines being handed out.

Even with the ability to impose fines of half a million pounds so far the ICO has shied away from issuing anything near that preferring to keep the levels under the £100,000 mark.

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.