Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Lack of Lush Penalty Makes A Mockery Of DPA

SecurEnvoy : 11 August, 2011  (Technical Article)
Two-Factor Authentication company comments on the Information Commissioner's Office decision not to impose penalties on cosmetics company after major data breach
Lack of Lush Penalty Makes A Mockery Of DPA
As the Information Commissioner's Office (ICO) has made its report on the major hack – lasting four months between October of last year and January of this – of the Lush cosmetics group, and decided not to penalise the firm or require it to sign an undertaking to prevent further data breaches, SecurEnvoy says the ruling sends out all the wrong messages.

According to Steve Watts, co-founder of the two-factor tokenless authentication specialist, the decision by the ICO comes after hackers were able to access the payment details of around 5,000 customers who had previously been Web e-clients of the cosmetics firm.

“It's said that 95 customers of the site had complained. But it's a fair bet that a lot more who didn't complain also had their card details fraudulently used, and now the ICO doesn't plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit,” he said.

“What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free,” he added.

This, says the SecurEnvoy co-founder, shows how crass the UK's data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.

And now we learn that all the ICO requires is a signed undertaking that its customer card data will be processed in accordance with the PCI Data Security Standard, and that the ICO is warning other retailers that, if they do not abide by the same rules they risk enforcement action, he noted.

If this is enforcement action, then it's a pretty poor state of affairs, says Watts, adding that this is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again. It does not, he explained, represent justice in any shape or form.

Lush's IT security staff, he says, must be quietly laughing up their sleeves, having seen their employer escape from a fine that could have been measured in six figures.

“But then, when you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting `done' by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is,” he said.

“Our colleagues over at ViaSat announced their own research at the Infosecurity Europe show back in April and found that the ICO had used its powers in fewer than 1 in 500 data breach cases.  Out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties. The situation with Lush is therefore in keeping with this strategy, but it still makes a mockery of the Data Protection Act,” he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo