Payment details of 5,000 customers were compromised in persistent hacking attack By Anh Nguyen Computerworld UK Published 16:21, 09 August 11 The Information Commissioner has found cosmetics retailer Lush in breach of the Data Protection Act (DPA) after the company’s website was hacked, exposing customers’ credit card details. In January, the company took down its website following persistent attacks by hackers, and warned all customers who placed online orders on the website between 4 October 2010 and 20 January 2011that their card details “may have been compromised”. Also in this channel News In Depth How-Tos Blogs Slideshows Related Articles Former IT staff member hacks drug company from McDonald'sPharmaceutical company has virtual servers wiped out in attack >> Judge hands out four year sentences for inciting riot on FacebookStiffest sentences yet handed out in aftermath of riots >> Smartphones stolen in riots turning up on auction sitesStolen handsets detected at three times normal rate, reports Recipero >> Why paying hackers makes you saferBug bounties mean big bucks for security researchers >> The death of freedom and privacyIf your privacy isn't already gone, it soon will be >> Companies facing proliferation of targeted email attacksAttacks such as the ones detailed by McAfee this week in a report are frequent and hard to detect >> Wikileaks Wikileaks Wikileaks - fearless whistleblowers or irresponsible nuisances? Keep up to date with the latest developments. Read more The ICO revealed that hackers were able to access the payment details of 5,000 customers. Lush only discovered the security issue in January after receiving complaints from 95 customers who had been the victim of card fraud. Lush takes down website after hacker onslaught On investigation, the ICO found that while the company had measures in place to secure customers’ payment details, it did not have sufficient protection to prevent a determined attack on its website. Lush also failed to identify the security breach quickly due to insufficient methods for recording suspicious activity on its website. Register Subscribe to Newsletters “Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. “This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.” Lush has now signed an undertaking to ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). To this end, it has chosen a compliant external provider to process all future payments. In addition, the company will ensure that it only stores the minimum amount of payment data necessary to receive payments, and that this information is only kept for as long as is necessary. For more information on this article, CISSP Certification & Training, Security+ Certification & Training, & online security training visit Security University
Related Articles -
Q/ISP, CEH, CEH7, DoD 8570, CISA, CISM, IAT, QISP, CND, QSA, QPTL, QEH, QEP, QFE, ECSA, CHFI, QWAD, CND, CNSS, ISC2, CISSP, CWNA, CWSP, SSCP, ITIL, CC,
|