Data breach by Lush sends warning to retailers

Updated September 2011

The website of cosmetics retailer Lush was hacked for a period of four months, the Information Commissioner's Office (ICO) has announced. From October 2010 to January 2011 the hackers accessed customers' payment details and there were several incidents of card fraud. While Lush restored the security of the website on uncovering the incident, the ICO has recently required the company to sign an undertaking to process credit card data in line with the Payment Card Industry Data Security Standard in the future.

Although Lush had measures in place both to keep payment details secure and to record suspicious activity on its website, it was nevertheless found to be in breach of the Data Protection Act. While the incident is partly due to the sophistication of the hackers, the ICO considered the measures were not sufficient to prevent a determined attack on Lush's website. Lush was also found to have inadequate procedures for recording suspicious activity on its website, which delayed the discovery of the breach.

This incident highlights the importance of online security for retailers. While there may be some occasions when companies have done everything possible and just been unlucky, companies must ensure their safeguards are at least as high as industry standards. The ICO expects retailers to carry out regular security checks and to comply fully with security standards such as the Payment Card Industry Data Security standard.

If you require any assistance in relation to data protection matters, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.