As the Information Commissioner’s Office (ICO) has made its report on the major hack – lasting four months between October of last year and January of this – of the Lush cosmetics group, and decided not to penalise the firm or require it to sign an undertaking to prevent further data breaches, the ruling sends out all the wrong messages.
The decision by the ICO comes after hackers were able to access the payment details of around 5,000 customers who had previously been Web e-clients of the cosmetics firm.
It’s said that 95 customers of the site had complained. But it’s a fair bet that a lot more who didn’t complain also had their card details fraudulently used, and now the ICO doesn’t plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit.
What we have here is a major e-commerce Web portal – run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free.
This shows how crass the UK’s data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.
And now we learn that all the ICO requires is a signed undertaking that its customer card data will be processed in accordance with the PCI Data Security Standard, and that the ICO is warning other retailers that, if they do not abide by the same rules they risk enforcement action.
If this is enforcement action, then it’s a pretty poor state of affairs. This is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again. It does not represent justice in any shape or form.
Lush’s IT security staff must be quietly laughing up their sleeves, having seen their employer escape from a fine that could have been measured in six figures.
But then, when you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting “done” by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is.
My colleagues over at ViaSat announced their own research at the Infosecurity Europe show back in April and found that the ICO had used its powers in fewer than 1 in 500 data breach cases. Out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties. The situation with Lush is therefore in keeping with this strategy, but it still makes a mockery of the Data Protection Act.