ICO’s failure to fine Lush over site hack sends out the wrong security message

As the Information Commissioner’s Office (ICO) has made its report on the major hack – lasting four months between October of last year and January of this – of the Lush cosmetics group, and decided not to penalise the firm or require it to sign an undertaking to prevent further data breaches, the ruling sends out all the wrong messages.

The decision by the ICO comes after hackers were able to access the payment details of around 5,000 customers who had previously been Web e-clients of the cosmetics firm.

It’s said that 95 customers of the site had complained. But it’s a fair bet that a lot more who didn’t complain also had their card details fraudulently used, and now the ICO doesn’t plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit.

What we have here is a major e-commerce Web portal – run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free.

This shows how crass the UK’s data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.

And now we learn that all the ICO requires is a signed undertaking that its customer card data will be processed in accordance with the PCI Data Security Standard, and that the ICO is warning other retailers that, if they do not abide by the same rules they risk enforcement action.

If this is enforcement action, then it’s a pretty poor state of affairs. This is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again. It does not represent justice in any shape or form.

Lush’s IT security staff must be quietly laughing up their sleeves, having seen their employer escape from a fine that could have been measured in six figures.

But then, when you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting “done” by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is.

My colleagues over at ViaSat announced their own research at the Infosecurity Europe show back in April and found that the ICO had used its powers in fewer than 1 in 500 data breach cases. Out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties. The situation with Lush is therefore in keeping with this strategy, but it still makes a mockery of the Data Protection Act.

Steven Watts brings 25 years’ of industry experience to his role at the helm of Sales & Marketing for SecurEnvoy. He founded the company with Andrew Kemshall in 2003 and still works tirelessly to grow the company in new and established markets. His particular value is market and partner strategy; having assisted in the development and design of the products, designed the pricing strategy and recurring revenue model that has been so key to the businesses growth and success. Before starting SecurEnvoy, Steven was responsible for setting up nonstop IT, the UK’s first IT security reseller in 1994. Prior to setting out on his own, Steven worked as Sales Director at the networking and IT division of Comtec, and had started his career in office solution sales in 1986.