Out-Law News 2 min. read
25 Jan 2011, 10:36 am
Data protection watchdog the Information Commissioner's Office (ICO) said that it is not investigating the possible data security breach because nobody has complained to it yet, a spokesman said.
Lush has admitted that its website was hacked and that customer credit card details may have been exposed. Some have been the subject of unauthorised use, it said.
The ICO is responsible for enforcing the Data Protection Act, which governs how companies store and process personal data. A spokesman said that the hacking activity was a criminal matter for the police to deal with and that it could not investigate whether or not Lush stored customers' information properly until a complaint was made to it.
"The ICO can't follow up on this until we receive complaints," said the spokesman, who confirmed that no complaint had been made yet. "We are advising the public that if they have any concerns about their data they should contact us."
"We are very sorry to confirm that our website has been the victim of hackers," said a statement on Lush's website. "Some of our customers have already experienced unauthorised use of their cards, so we still urge all [affected customers] to check statements and talk to their banks for advice."
The company said that the incident could affect anyone who ordered from the company's website between 4 October and 20 January.
If the ICO does receive complaints and investigates the company it could look at the level of security that protected the information and the way in which information was processed.
Security consultant Graham Cluley of Sophos wrote in his blog that questions about how quickly Lush acted and how well information was protected will be crucial.
"It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach. Was it at the same time as they posted the message on the front page of their website, or have they known for longer?" he said.
"Was the customer credit card information not encrypted? If it had been strongly encrypted then although a hack might have been embarrassing, customers would not necessarily be at risk of fraud," he said.
William Malcolm, a privacy law expert at Pinsent Masons, the law firm behind OUT-LAW.COM, said that the incident could become a more common one in UK retail as hackers use increasingly complex tools.
"This case highlights the constant threat that online retailers face from hackers and the need to remain vigilant," he said. " Lush will be no doubt be concerned to ensure that its current standards comply with the Data Protection Act and technical security standard PCI DSS"
"However it doesn't necessarily follow that just because there has been a security incident that Lush has in any way breached the law. Lush may have taken appropriate safeguards and just been the victim of a sophisticated criminal attack," he said.
"As hacking attacks become more sophisticated it will be a growing issue for the ICO to work out when retailers have done everything possible and just been unlucky and when safeguards fall short of market and industry standards," said Malcolm.
