The Data Protection Act controls how your personal information is used by organisations, businesses or the government.
Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
I’ve bolded the bit above which says the information must be kept safe and secure. Safe and secure. That seems reasonable doesn’t it? Yet on at least 2 occasions, to my knowledge, Lush have sent out a group email to their customers without putting the recipients into the bcc address box. They’ve sent out group emails to numerous customers in such a way that every recipient of the email could see the email addresses of every other recipient.
Once I could understand. It’s a shoddy, slipshod thing to do and indicates that they don’t take data protection particularly seriously. After all, if they did take it seriously, whoever set the group mailing up would have ensured it was set up as bcc, and somebody would have checked it. But mistakes happen and as long as a company learns from its mistakes and doesn’t continue to make them, well, forgiveness is a virtue.
But what if it happens again? Is that an honest mistake, or is it carelessness? Is it just bad luck or is it stupidity? Is it an error made by a rogue employee who didn’t pay enough attention to their data protection training, or is it a company which should know better holding the law in utter contempt? You decide.
(For the record, I don’t think anyone should blame an individual rogue employee. These cock-ups are corporate, and if anyone’s head should roll, it’s whoever is in charge of Lush’s data processes and security. They don’t have a named person as their data controller; the Register of Data Controllers shows it is the company as a whole. That is quite normal and shouldn’t be taken as a sign of inherent dodginess).
There’s a thread on the Lush International Forum which was started in August 2011. It was started by a regular forum user complaining that she had received a group email from Lush in which the email addresses of every recipient were visible to every recipient. Further on in that thread, someone says the email was sent to 170 recipients. That’s 170 email addresses Lush failed to keep confidential, 170 people whose data was treated with no care at all. Here are some of the posts from that thread
- Not at all impressed. That is my personal and professional email account. I will not be impressed if I start getting spam, and it then in turn starts getting sent to those on my contact list. I have schools on there, that I have a reputation with, I will not get work from them if i start getting spams sent through my personal email
- I am so upset, I foolishly thought that I would be okay using that email with them now they have a new site, and new security.
- You would think they might have learnt?!
- This is awful. Lush, seriously, get it together.
- Emailed to complain, really not happy, I feel everything registered with this address is now liable, bloody great.
- Fail. Shouldn’t be surprised really. I was a victim of the hacking.
Sort it out lush. I’ve had enough of being messed about.
- This sucks. It has my full name in it.
- About 170. I had some fun playing “match the email address to the forum name”
- I am so upset. This is a serious data protection breach. Lush really need to do something about this.
You know what I notice most about those posts? It’s very clear that this was not the first time Lush had been careless with data security.
Later that same day Jack Constantine, son of Mark, posted to say
I apologise profusely for the irresponsible lack of secrecy used to keep our customers personal email addresses private. Secret@lush.co.uk is a stand alone email account, that is being handled manually and separately from any other public data management within Lush. Once again, I apologise for this serious error, and reassure you that all future firstname.lastname@example.org emails will be sent using BCC to ensure your email does not get publicised again. If you would prefer not to be included in any email@example.com emails, then please send ‘unsubscribe’ to firstname.lastname@example.org.
Head of Digital
Further posts from company employees included
- Having spoken to a few of you on the phone already, I would also like to say how sorry we are that this has happened. We completely appreciate how frustrating it is for those affected, and please be assured we will do everything we can to learn from this.
And customer responses included
- for me, it wasn’t the fact that my name and email address had been spread around lots of people I might not want it to be spread around, it was the fact that Lush fucked up with people’s personal data again. I know that the systems are different but I would have thought that proper checks were in place to stop this sort of thing happening again. I don’t want free stuff, I want Lush to be more careful with my data. I told them this on the fone too.
- The issue isn’t what the consequences of this data handling error are, the issue is that it happened. And underlying this is the fact it happened relatively soon after the website/credit card problems. Data Protection law doesn’t care if no-one did anything with the disc of lost data they found on a train, it cares that the disc of data was lost in the first place. Back in the day when I was still a mystery shopper there was a couple of months where people were sent emails with other people’s credit balances in them, and on another occasion all MSers’ email addresses were sent in error to one person. Repeated problems in a similar vein lead people to lose trust in a company, as has been demonstrated by replies in this thread and others.
- I wasn’t affected because I didn’t ask to be added to the list, so I’m neutral about it. But I would say that this isn’t about Jack as an individual, it’s about Lush as a company, and we’ve seen several times now that their data handling procedures are poor. The fact similar errors occurred in mystery shopping should have been enough to ensure it never happened again within any part of the company. Lush might say they take their data protection obligations seriously, but they obviously haven’t changed their systems to ensure it can’t happen again, so I question how seriously they take it. I think the data protection high heid yins need to know.
And bear in mind the August 2011 breach came less than a year after this incident, in which Lush narrowly escaped a fine after the Information Commissioner found they had breached the Data Protection Act and not noticed for four months that bad guys had hacked into their retail site and stolen people’s credit card details. Internet security experts seem to be surprised they weren’t fined. And the August 2011 breach was not the first email breach. It was at least the second, and there might have been others complained about on the forum that I can’t remember and haven’t found by searching. So that’s twice they’ve fucked up their mass email list, at least twice they’ve fucked up their mystery shopper email list, and at least four months when they didn’t notice their retail site was being hacked. This is how to complain.
Oh, and let’s not forget how Mark Constantine, founder of Lush and self-styled trichologist, accessed his employee Hilary Jones’s tax records for the earth-shatteringly life-savingly world-changingly important reason of finding out her birthday and then posting it all over the Lush forum.