Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

SecurEnvoy says ICO’s failure to fine Lush over e-commerce site hack sends out the wrong security message

August 2011 by SecurEnvoy

According to Steve Watts, co-founder of the two-factor tokenless authentication specialist, the decision by the ICO comes after hackers were able to access the payment details of around 5,000 customers who had previously been Web e-clients of the cosmetics firm.

“It’s said that 95 customers of the site had complained. But it’s a fair bet that a lot more who didn’t complain also had their card details fraudulently used, and now the ICO doesn’t plan on imposing a fine, or even securing a data protection undertaking from the company? This really does take the security biscuit,” he said.

“What we have here is a major e-commerce Web portal - run by a consumer-friendly company that prides itself on its eco-friendly products and stance generally – that was solidly hacked for four months over the busy Christmas period, and essentially has got away scot-free,” he added.

This, says the SecurEnvoy co-founder, shows how crass the UK’s data protection legislation – and quite possibly the PCI Data Security Standard – are in terms of penalties, if the watchdog that enforces the rules feels it cannot penalise a company whose database has been hacked for 120 days without its IT staff being aware of the incursion.

And now we learn that all the ICO requires is a signed undertaking that its customer card data will be processed in accordance with the PCI Data Security Standard, and that the ICO is warning other retailers that, if they do not abide by the same rules they risk enforcement action, he noted.

If this is enforcement action, then it’s a pretty poor state of affairs, says Watts, adding that this is the data protection equivalent of the hoodlum that robs a store of its cash and then gets off with community service and warned not to do it again. It does not, he explained, represent justice in any shape or form.

Lush’s IT security staff, he says, must be quietly laughing up their sleeves, having seen their employer escape from a fine that could have been measured in six figures.

“But then, when you look at the number of times that the Information Commissioner has imposed a fine of any sort on those companies that have suffered a data breach, and compare it with the 30-odd reports that the ICO gets every month on data breaches, you realise that the chances of getting `done’ by the Information Commissioner for a hack that has occurred due to lack-lustre IT security are minimal – and you know what a toothless tiger the ICO really is,” he said.

“Our colleagues over at ViaSat announced their own research at the Infosecurity Europe show back in April and found that the ICO had used its powers in fewer than 1 in 500 data breach cases (http://bit.ly/pfGRbd). Out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties. The situation with Lush is therefore in keeping with this strategy, but it still makes a mockery of the Data Protection Act,” he added.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts