Lush hack let slip 5,000 people's bank details

The ICO has decided not to fine the cosmetics maker over a four-month man-in-the-middle hack that siphoned off banking details and led to 95 fraud complaints, saying that Lush has cleaned up its act

A four-month hack on cosmetics retailer Lush exposed the payment details of around 5,000 customers and led to 95 reports of fraud, according to the Information Commissioner's Office.

Lush shop

The ICO has concluded its investigation of the hack on the Lush website, in which the personal details of 5,000 people were hacked. Photo credit: Kake Pugh on Flickr

Outsiders installed code on Lush's website that intercepted banking details — in what is known as a man-in-the-middle attack — between October 2010 and January 2011, the UK data-protection watchdog said on Wednesday.

"Hackers attacked and put a bit of code on the Lush website to siphon off customer details," a spokesman for the Information Commissioner's Office (ICO) told ZDNet UK. "The code allowed the hackers to get information as people were putting [payment details] into the website."

In a statement published on Tuesday, the authority found that Lush had not properly protected customer information, but decided not to fine the company as it had made an effort to secure its systems. The ICO has the power to fine organisations up to £500,000 for data-protection breaches.

"We considered a monetary penalty, but the breach didn't meet all the criteria," the spokesman said. "We have to have sufficient information that an organisation failed to take reasonable steps to secure data. [Lush] had measures in place, but not sufficient to prevent a concerted attack."

Website breach

The Poole-based cosmetics manufacturer was alerted to problems with its website after receiving complaints from 95 customers that they had been the victims of card fraud, the ICO said. Lush discovered the breach on 24 December, and on 21 January it warned customers that their data may have been exposed between 4 October and 20 January.

"With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals," the ICO's acting head of enforcement, Sally Anne Poole, said in the statement. "Lush... failed to do regular security checks and did not fully meet industry standards relating to card-payment security."

The company did not meet number 11 of the 12 essential requirements laid out in the Payment Card Industry Data Security Standard (PCI-DSS), the ICO said. This says that businesses must regularly test their security systems and processes.

Lush has signed an undertaking stating that its payments will be processed by a third-party provider that adheres to PCI-DSS. In January, the company said it would accept payments via PayPal.

The cosmetics maker had not responded to a request for comment at the time of writing. On its website, Lush said that it had tightened up security procedures since the hack. The company uses Netittude to do penetration testing, Trustwave to secure its payments system, and RBS Worldpay to process transactions.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All