back to article Akira ransomware gang says it stole passport scans from Lush in 110 GB data heist

The Akira ransomware gang is claiming responsiblity for the "cybersecurity incident" at British bath bomb merchant. Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including "a lot of personal documents" such as passport scans. …

  1. Doctor Syntax Silver badge

    You have to wonder just when it will dawn on HR types that personal data held for a moment longer than needed becomes toxic waste. Perhaps a mandatory fine of 1,000 GBEurollars per retained passport scan discovered on audit* and 10x that for each taken in a heist would have some effect. But probably not.

    * It's time for compulsory unannounced audits of organisations licensed** to hold personal data of more than, say 100 people.

    ** Yes, it's time for such licensing.

    1. Anonymous Coward
      Anonymous Coward

      Stop data storage by business

      Businesses should not store personal data at all. The data should be stored and guarded by a few highly secure organizations. More in a post below Id/Passport verification service.

      1. Anonymous Coward
        Anonymous Coward

        > Businesses should not store personal data at all

        This would have a nice anonymity side-effect. Only imagine you showing in a business database purely as a unique non-reusable number associated ONLY with this particular business. Individuals could confirm/allow registration on business-independent app, when becoming a client. After that this business can only access your personal details for specific business operation, for example delivery address.

      2. hoola Silver badge

        Re: Stop data storage by business

        Hmm, and have everything in one place ripe for picking.

        Nothing that is connected to any form of data cable is 100% secure .

        1. Anonymous Coward
          Anonymous Coward

          > one place ripe for picking

          Maybe 1 very secure place is better than 80% of guaranteed insecure ones. Also the 1 place could be 2-3 competing places, like Google, Amazon, and Microsoft.

    2. Michael Strorm Silver badge

      > You have to wonder just when it will dawn on HR types that personal data held for a moment longer than needed becomes toxic waste.

      When it publicly and very visibly becomes something that can have *real* risks and consequences for the company itself and- directly or indirectly- the careers and even liberty of those working in HR, that's when.

  2. tmTM

    Hoarding personal data like a flabby dragon sat on it's treasure

    Maybe someone needs to walk into HR and stick the boot in, demand to know why they thought it was a good idea to store all this stuff?

    1. CountCadaver Silver badge

      Re: Hoarding personal data like a flabby dragon sat on it's treasure

      Malcolm Tucker perhaps?

  3. that one in the corner Silver badge

    Passport scans

    > are routinely collected to verify identities during the course of the hiring process

    Collected? Not just "checked and that check signed off by HR"?

    Oh no, of course not, that might mean that HR actually has to take responsibility for doing their job and putting their name to it. Far less damaging[1] to demand and keep a scan.

    [1] to that HR hack, that is.

  4. Korev Silver badge

    Did they use SOAP webservices at Lush?

  5. Joe-Thunks

    There we go again - Passport scans are routinely collected

    There should be a time limit on this. After somebody has been "verified", the scan should be deleted permanently. A fine of £10,000 for every scan retained if it is not deleted.

    All these companies siphon up data, keep it stored insecurely. Then they get to wash their hands of the problems they cause by having poor security.

    1. gryphon

      Re: There we go again - Passport scans are routinely collected

      Problem might be that the immigration service no doubt says that records must be kept for XYZ years to verify that proper employment checks were done when hiring.

      i.e. HR would have to prove that they were presented with what looked like authentic documents at the time rather than just have their word taken for it.

      Even then they could probably just print out the passport scans etc. and stick them in a handy filing cabinet with a reference rather than leaving them on a computer.

      They should certainly be deleting / shredding any that relate to past employees one would think since keeping those would surely breach Data Protection laws.

      1. CountCadaver Silver badge

        Re: There we go again - Passport scans are routinely collected

        Problem with filing cabinets is that they have security issues of their own, rogue staff can have a browse without any chance of detection, stuff gets misfiled and more, plus the physical storage space to hold that many records for that many staff isn't a small amount

        1. David Hicklin Bronze badge

          Re: There we go again - Passport scans are routinely collected

          > Problem with filing cabinets is that they have security issues of their own

          Easily solved by a basement, no stairs or lightbulbs, and a leopard

  6. Doctor Syntax Silver badge

    Translating Spokespeak

    "we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations,"

    Translation: we've sent comeone to the ironmongers for stable door bolts.

    "We take cybersecurity exceptionally seriously"

    Translation: we/ve just discovered cybersecurity has to be taken exceptionally seriously"

    Alternative translation: Cybersecurity is to be taken seriously but we made an exception.

    1. Anonymous Coward
      Anonymous Coward

      Re: Translating Spokespeak

      "We're all had meetings. We met with all the managers etc. We left out any IT engineer who'd actually have decent suggestions and instead we made shit up to lock everything down to make it more difficult to do any fucking work".

    2. hoola Silver badge

      Re: Translating Spokespeak

      But yet again someone is reacting to a loss. It is already too late.

      That is the issue. This will have been another " sophisticated" attack that somehow justifies the loss and makes it acceptable.

      No data loss is acceptable and the penalties for the losses take too long and are insignificant.

  7. Plest Silver badge


    Tell me, in the name of that's holy and blessed, why the fricking hell a shop that sellls fricking soap, needs to be storing customer's passport scans?! Employees in the HR DB, fair enough but customers?! I hope they had a damn good reason else GDPR will be ragging their arses once the hackers have finished having their fun.

    1. Doctor Syntax Silver badge


      You tell us why you think this isn't just HR and employees.

    2. werdsmith Silver badge


      Did you read the article ?

  8. Spanners Silver badge

    I'm sure

    Long ago, I was told that it was against the law for employers to scan things like passports and driving licences.

    As it was twentysomething years ago, is it possible that the current government changed the rules?

    Or am I mis-remembering?

    1. Paul Crawford Silver badge

      Re: I'm sure

      You seem to forget that the recent UK government has out-sourced immigration to employers, so they have to collect stupid amounts of data to avoid being liable for employing someone how is not allowed to work.

      The same bunch of useless fsckers who were not satisfied with Windrush, so brought us Brexit, and all the extra load of that...

  9. Anonymous Coward
    Anonymous Coward

    Id/Passport verification service

    It is wiser to create a gov-funded ID/passport verification service shared with businesses. A business representative would type/scan a physical ID into a gov-portal, and get shown the person's photo, and some kind of confirmation. The alternative is hopeless, because the majority of businesses are not sophisticated enough to keep personal details secure in their own systems. And will never be. So they should not be allowed to, except a few key identifiers, which could be as simple as an email address.

    Each ID verification access should be logged, and all businesses must register with the service to keep operations. So some bad guys could not bulk-verify personal information, as some kind of quotas and throttling should be set-up for each business with appropriate handling fees, depending on operation scale. Also, data owners (actual persons), could get an SMS/email alert on each ID verification.

    Ideally such verification should be for the whole EU, and other large blocks who trust each other. Keeping/saving detailed personal data by businesses should be forbidden, unless a person comes from a non-block country, unable to verify otherwise.

    Since access logs would be saved for each business, this could help verify persons even if their ID got changed or temporarily lost.

    1. Anonymous Coward
      Anonymous Coward

      Already now physical IDs have limited utility

      Digital should be the primary identification. While the cards could be useful in rare offline situations, and primarily as digital keys to enable the suggested verification.

    2. hoola Silver badge

      Re: Id/Passport verification service

      There already is one, Easy-ID (Yoti).

    3. JT_3K

      Re: Id/Passport verification service

      Here I am, contemplating the duality of having the best security experts money can buy (as suggested above in getting a "Google", an "Oracle" or a "Microsoft" to tender to do so) running a secondary verification/storage facility for high-PII like passports and driving licenses, against the pain/risk of a sole bucket of such a quantity posing a juicy target for the greatest and deepest-resource-pocket-government-backed hack groups to go after.

      You've solved the hell out of it. It doesn't need to be 2nd party. The government can, for a ****small**** fee perhaps, store that you registered an interest in an individual and verified documents as presented to you, as well as returning a single photograph (? from passport/driving license to allow you to confirm you were not just given a passport number for "16yo Sarah from Birmingham" that belonged to 86yo Sandra from Aberdeen and that the NI matches the passport), a date at which checked and non-identifiable GUID for your transaction? They have the data and maintenance of a table to confirm you have provided a correct passport ID and legally identifiable name as well as having proven you have legitimate interest for such a function through registered-company information would work?

  10. Anonymous Coward
    Anonymous Coward


    Lush have history with cyberattacks, didn't they get breached and lose a load of unencrypted customer credit/debit card details a while ago?

  11. Anonymous Coward
    Anonymous Coward


    Are totally useless at everyone company I've been at. They are there to protect the company not the employees but they can't even do that. I can't comment on what I've seen them do, the idiots, as it would be obvious then who I am (it was recent) but they are idiots. Not checking who's left themselves signed into a printer for starters.

    1. Gene Cash Silver badge

      Re: HR

      OK, I'm new here and I don't understand all this computer mumbojumbo.

      How do you sign into a printer?

      1. Munehaus

        Re: HR

        Depends on the audit and print release system installed. Google Papercut as an example.

  12. Paul 87

    It's amazing how many companies are diligently taking cybersecurity very seriously immediately after an attack.

  13. Anonymous Coward
    Anonymous Coward

    I'm as human as the next girl

    I like bath bombs and body spray

    But I don't need your PR lines

    Your crap data security

    1. ravenviz Silver badge

      Re: I'm as human as the next girl

      Lush secrets laid bare,

      Bath bombs in a data stream,

      Privacy dissolved.

      - ChatGPT

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm as human as the next girl

        Nice- albeit somewhat more "Burma Shave" than "Lush"!- but I should be clear that what I was aiming at with my original attempt wasn't anything in the direction of a haiku!

  14. ravenviz Silver badge

    Personal data retention should be turned on its head and decentralised, instead stored in a local user wallet, accessible to organisations via secure API. Centralised records are not only duplicated endlessly, but also more likely to be targeted by attackers. Local records would require a monumental effort to retrieve at any sort of scale.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like