Skip to main content

ICO Lets Lush Slip Without Fine, Sends Wrong Message

The Information Commissionaire's Office’s (ICO) apparent inability to impose a monetary fine on Lush- the cosmetic firm which failed to provide full-proof security to the records of thousands of its customers against hackers, has sent out a wrong message, one of the leading authentication firm in the country SecurEnvoy claims.

The ICO earlier stated that the security breach in Lush’s network resulted in exposure of details of 5000 of the firm’s customers’ payment details. However, the security watchdog did not penalise Lush saying that it had made efforts to secure its network.

The UK data-protection act allows the ICO to impose a monetary penalty of up to £500,000 on organisations, found guilty of protection breaches.

A spokesperson for the ICO told ZDNet UK, "Hackers attacked and put a bit of code on the Lush website to siphon off customer details."

"The code allowed the hackers to get information as people were putting [payment details] into the website." The spokesperson added.

Steve Watts, co-founder of SecurEnvoy told Computer Weekly, "This is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again,” he added.