Lush security breach lessons for online credit payments

Topic: Privacy

Who: Lush Cosmetics Ltd and the UK Information Commissioner's Office ("ICO")

When: 9 August 2011

Where: UK

Law stated as at: 30 August 2011

What happened:

ICO recently issued a press release which aimed to focus the minds of retailers on their online security and data processing compliance obligations. ICO made an example of the cosmetics retailer "Lush" (Lush Cosmetics Limited) who was found to have breached the Data Protection Act 1998 after the security of its website was compromised for a four month period.

Lush's security breaches meant that hackers were able to access the payment details of approximately 5,000 of its customers who had previously placed orders via its retail website.

ICO's reporting of this matter explains that Lush discovered the security lapse in January 2011 after recieving complaints from 95 customers who had been the victim of card fraud. After making enquiries, Lush discovered that its website had been subject to a hacking incident which had allowed hackers to access the payment details of Lush customers. Upon discovering this issue, Lush restored the security of its website. ICO investigated the matter and found that, although Lush had measures in place to keep customers’ payment details secure, they were not sufficient to prevent a determined attack on its website.

The retailer’s methods of recording suspicious activity on its website were also considered by ICO to be insufficient, which ICO felt delayed the time it took Lush to identify the security breaches in question.

As a result of its investigations, ICO required Lush to sign an undertaking to ensure that future customer credit card data will be processed by Lush in accordance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is the main standard relating to storing payment card data and it sets out requirements specifying steps which should be taken to ensure payment card data is kept secure both during and after transactions. The PCI DSS standards were established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard. Amongst other things, the undertakings Lush was required to sign required Lush to commit to only store the "minimum amount" of payment data necessary to receive payments, and to ensure such payment information would not be kept for longer than necessary. Furthermore, all future payments would have to be managed by an external provider compliant with the PCI DSS standards, and Lush would need to ensure appropriate technical and organisational measures were employed and maintained within its business going forward.

Within its press release on this matter, ICO's Acting Head of Enforcement, Sally Anne Poole, said: "With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals." On the matter of Lush's security breaches she commented: "This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.".

ICO has also taken this opportunity to remind retailers and other data processors of its existing guidance regarding the level of security meansures businesses should have in place when storing personal information electronically. ICO's tips include the following:

1. Where computer security is concerned:

• Install a firewall and virus-checking on your computers.
• Make sure that your operating system is set up to receive automatic updates.
• Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities.
• Only allow your staff access to the information they need to do their job and don’t let them share passwords.
• Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
• Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information.
• Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
• Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and update.

2. For using emails securely:

• Consider whether the content of the email should be encrypted or password protected. Your IT or security team should be able to assist you with encryption.
• When you start to type in the name of the recipient, some email software will suggest similar addresses you have used before.If you have previously emailed several people whose name or address starts the same way – eg “Dave” – the auto-complete function may bring up several “Daves”. Make sure you choose the right address before you click send.
• If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.
• Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone.
• If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient’s arrangements are secure enough before sending your message.

Why this matters:

ICO has taken this opportunity to warn online retailers that if they do not adopt the PCI DSS standards, or at least provide equivalent protection when processing customers’ credit card details, they risk enforcement action. ICO shall clearly be keeping an eye on retailers in this regard going forward.

This is a warning that should not be taken lightly by UK online retailers. Under UK data protection laws ICO now has the power to fine organisations an amount up to £500,000 for serious breaches of the data protection related laws which govern the processing of personal data. ICO has been making an effort to provide businesses with clear information as to how ICO intends to use its powers to bestow financial penalties and ICO's recent announcements following the Lush investigation follow its recent consultation paper on its ability to impose monetary penalties which we reported on in detail in last month's marketinglaw.co.uk update (see here). The aim of ICO's recent consultation was to amend its guidance notes to businesses to include references to its interpretation of its potential powers under the Privacy and Electronic Communications (EC Directive) Regulations 2003 as well as under the Data Protection Act 1998. The aim being, that businesses would have clear indications of how ICO shall enforce its powers and what it will view as a material breach of data protection laws.

ICO is therefore striving to provide businesses with clear guidance notes which indicate when ICO may attempt to step in and flex its monetary muscles where it is satisfied there has been a case of non-compliance with applicable data protection laws.

Businesses will therefore find it difficult to claim ignorance if they have not carefully assessed and planned their compliance with data protection laws. Of course one of the most compelling reasons for online retailers to take note of such ICO investigations and their own security measures, is the negative PR that can arise from numerous customer complaints linked to online security issues and the lost sales that can result.