Online retailer Lush is planning to launch a new community-focused website this autumn, replacing one that was taken down earlier this year after a data protection breach left up to 5,000 of its customers exposed to hackers.
The news follows a ruling this week by the Information Commissioner’s Office (ICO) that the handmade cosmetics company breached the Data Protection Act when its website security was compromised for four months. The ICO has now warned other online retailers to make sure their payment security is up to standard.
In a statement, Lush said it had learned a lot since the hacking and that its new website would exceed the requirements of the Payment Card Industry Data Security Standard, which it must comply with in order to meet the ICO’s ruling.
Its current, temporary, site, it said: “has been the subject of rigorous penetration testing and additional security measures. Just like our old site, our temporary website does not store credit card data. But unlike our old site, it now takes customers’ away from our server at payment stage and through to the banks own server, where payment is taken. This gave us the confidence to put a website back up to trade again. We hope that it has also given our customers the confidence to return and shop with us once again.”
Lush said its new site, to be launched in early September, would offer ecommerce transactions as well as social media and user generated content, becoming a “community-based social network where staff can interact with customers and help them make the right product choices.” Customers will also be able make their own contributions to the site, starting discussions on issues from products to campaigns.
The Information Commissioner’s Office (ICO) said the security of the Lush website was left exposed between October 2010 and January 2011. As a result, hackers were able to access the payment details of more than 5,000 Lush customers who had bought through the website. In all, 95 customers complained to Lush after finding they were the victims of card fraud. Lush found its site had been hacked and restored the security of its website straight away. The ICO found that although Lush had put in place measures to protect customers’ card information they were not enough to fend off a determined attack. Its methods of recording suspicious activity on its website also fell below standards, meaning the identification of the security breach was delayed.
Lush managing director Mark Constantine has now signed an undertaking committing the retailer to make sure the future customer credit card data is processed in accordance with the Payment Card Industry Data Security Standard (PCI DSS). The company must only store the amount of data it needs in order to receive payment and must keep it no longer than necessary.
Lush said: “Our customers have been amazingly supportive and loyal throughout this whole period, for which we are humbly grateful. We are very sorry for the inconvenience and distress the hacking caused them and have done everything in our power to prevent this happening again.”
The ICO says other retailers should learn from the lesson and to make sure their websites also meet PCI DSS or equivalent standards. Otherwise they too will face enforcement action.
The ICO’s acting head of enforcement Sally Ann Poole said: “With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”
Our view: Lush says it has learned a lot from its experience with hacking and it looks set to emerge from events with a better, stronger website. But that will have come at a cost. It’s a cost measured not only in investment in new technology, which perhaps was overdue anyhow, but one that is measured in damage to the reputation, the confidence of its customers and thus the loss of sales. Other retailers would do well to follow the ICO’s advice and make sure their systems really do meet current standards.
