The Smell of Bullshit part 6 – data protection

Data protection. Basic principles – pretty straightforward. Key definitions are here. Briefly,

The Data Protection Act controls how your personal information is used by organisations, businesses or the government.

Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the UK without adequate protection

There is stronger legal protection for more sensitive information, such as:

  • ethnic background
  • political opinions
  • religious beliefs
  • health
  • sexual health
  • criminal records

I’ve bolded the bit above which says the information must be kept safe and secure. Safe and secure. That seems reasonable doesn’t it? Yet on at least 2 occasions, to my knowledge, Lush have sent out a group email to their customers without putting the recipients into the bcc address box. They’ve sent out group emails to numerous customers in such a way that every recipient of the email could see the email addresses of every other recipient.

Once I could understand. It’s a shoddy, slipshod thing to do and indicates that they don’t take data protection particularly seriously. After all, if they did take it seriously, whoever set the group mailing up would have ensured it was set up as bcc, and somebody would have checked it. But mistakes happen and as long as a company learns from its mistakes and doesn’t continue to make them, well, forgiveness is a virtue.

But what if it happens again? Is that an honest mistake, or is it carelessness? Is it just bad luck or is it stupidity? Is it an error made by a rogue employee who didn’t pay enough attention to their data protection training, or is it a company which should know better holding the law in utter contempt? You decide.

(For the record, I don’t think anyone should blame an individual rogue employee. These cock-ups are corporate, and if anyone’s head should roll, it’s whoever is in charge of Lush’s data processes and security. They don’t have a named person as their data controller; the Register of Data Controllers shows it is the company as a whole. That is quite normal and shouldn’t be taken as a sign of inherent dodginess).

There’s a thread on the Lush International Forum which was started in August 2011. It was started by a regular forum user complaining that she had received a group email from Lush in which the email addresses of every recipient were visible to every recipient. Further on in that thread, someone says the email was sent to 170 recipients. That’s 170 email addresses Lush failed to keep confidential, 170 people whose data was treated with no care at all. Here are some of the posts from that thread

  • Not at all impressed.  That is my personal and professional email account. I will not be impressed if I start getting spam, and it then in turn starts getting sent to those on my contact list. I have schools on there, that I have a reputation with, I will not get work from them if i start getting spams sent through my personal email
  • I am so upset, I foolishly thought that I would be okay using that email with them now they have a new site, and new security.
  • You would think they might have learnt?!
  • This is awful. Lush, seriously, get it together.
  • Emailed to complain, really not happy, I feel everything registered with this address is now liable, bloody great.
  • Fail. Shouldn’t be surprised really. I was a victim of the hacking.
    Sort it out lush. I’ve had enough of being messed about.
  • This sucks. It has my full name in it.
  • About 170. I had some fun playing “match the email address to the forum name”
  • I am so upset. This is a serious data protection breach. Lush really need to do something about this.

You know what I notice most about those posts? It’s very clear that this was not the first time Lush had been careless with data security.

Later that same day Jack Constantine, son of Mark, posted to say

I apologise profusely for the irresponsible lack of secrecy used to keep our customers personal email addresses private. is a stand alone email account, that is being handled manually and separately from any other public data management within Lush. Once again, I apologise for this serious error, and reassure you that all future emails will be sent using BCC to ensure your email does not get publicised again. If you would prefer not to be included in any emails, then please send ‘unsubscribe’ to

Yours sincerely,

Jack Constantine

Head of Digital

Further posts from company employees included

  • Having spoken to a few of you on the phone already, I would also like to say how sorry we are that this has happened. We completely appreciate how frustrating it is for those affected, and please be assured we will do everything we can to learn from this.

And customer responses included

  • for me, it wasn’t the fact that my name and email address had been spread around lots of people I might not want it to be spread around, it was the fact that Lush fucked up with people’s personal data again. I know that the systems are different but I would have thought that proper checks were in place to stop this sort of thing happening again. I don’t want free stuff, I want Lush to be more careful with my data. I told them this on the fone too.
  • The issue isn’t what the consequences of this data handling error are, the issue is that it happened. And underlying this is the fact it happened relatively soon after the website/credit card problems. Data Protection law doesn’t care if no-one did anything with the disc of lost data they found on a train, it cares that the disc of data was lost in the first place. Back in the day when I was still a mystery shopper there was a couple of months where people were sent emails with other people’s credit balances in them, and on another occasion all MSers’ email addresses were sent in error to one person. Repeated problems in a similar vein lead people to lose trust in a company, as has been demonstrated by replies in this thread and others.
  • I wasn’t affected because I didn’t ask to be added to the list, so I’m neutral about it. But I would say that this isn’t about Jack as an individual, it’s about Lush as a company, and we’ve seen several times now that their data handling procedures are poor. The fact similar errors occurred in mystery shopping should have been enough to ensure it never happened again within any part of the company. Lush might say they take their data protection obligations seriously, but they obviously haven’t changed their systems to ensure it can’t happen again, so I question how seriously they take it. I think the data protection high heid yins need to know.

And bear in mind the August 2011 breach came less than a year after this incident, in which Lush narrowly escaped a fine after the Information Commissioner found they had breached the Data Protection Act and not noticed for four months that bad guys had hacked into their retail site and stolen people’s credit card details. Internet security experts seem to be surprised they weren’t fined. And the August 2011 breach was not the first email breach. It was at least the second, and there might have been others complained about on the forum that I can’t remember and haven’t found by searching. So that’s twice they’ve fucked up their mass email list, at least twice they’ve fucked up their mystery shopper email list, and at least four months when they didn’t notice their retail site was being hacked. This is how to complain.

Oh, and let’s not forget how Mark Constantine, founder of Lush and self-styled trichologist, accessed his employee Hilary Jones’s tax records for the earth-shatteringly life-savingly world-changingly important reason of finding out her birthday and then posting it all over the Lush forum.


33 thoughts on “The Smell of Bullshit part 6 – data protection

  1. “Back in the day when I was still a mystery shopper there was a couple of months where people were sent emails with other people’s credit balances in them” I can second this, had that happen with my email/credits/information and no redress from Lush at all, they were totally uninterested.

  2. I’m coming back later to make a bigger post but I’ve heard from a head office employee that one of their web designers warned them that the website wasn’t secure but he was ignored and quietly shuffled out at the earliest possible convenience.

    • I have to say, that can’t possibly be true. If it was true, what would it say about a company who employed a specialist professional then ignored his advice and as a consequence of ignoring expert advice, allowed their customers to become the victims of credit card fraud? Any company doing that would be guilty of extreme arrogance, carelessness, selfishness and stupidity. And do Lush really deal with people who tell them important things they don’t want to hear by ignoring them and then quietly shuffling them out? That would also reek of arrogance and stupidity, so again, it can’t be true. Besides, if Lush treated stuff like that, we would definitely have heard. Too many of us have close friendships with their staff for them to get away with that sort of thing without it being known.

  3. I understand your disbelief. I’m unable to offer any proof because I don’t want to endanger anyone’s livelihood. Now I’m on a computer instead of a phone I can flesh out my comment and hopefully offer some context.

    The developer in question was part of the website team. He expressed concerns about the security of the website. However the website is Jack Constantine’s baby, and as many commenters have said, if you criticise one of the Constantine brood, you’re likely to find yourself out of a job.

    Obviously this is hearsay and you are free not to believe it. But the same goes for most of the comments on here.

    “And do Lush really deal with people who tell them important things they don’t want to hear by ignoring them and then quietly shuffling them out?”

    All evidence points to yes I’m afraid. At least, that’s been my experience.

  4. “And do Lush really deal with people who tell them important things they don’t want to hear by ignoring them and then quietly shuffling them out?”
    Yes I know this from years of experience & it continues to this day.

    “Too many of us have close friendships with their staff for them to get away with that sort of thing without it being known.”
    They force people out and either force them to sign confidentiality contracts or throw money at them to go away. You haven’t heard Lush’s secrets for this reason but with staff (ex & current!) and customers speaking out it’s only a matter of time before you know the dirty truth about Lush.

  5. I had someone’s else’s invoice emailed to me, I saw their address , name and phone number, this was very recently, (within the last two months) I told them but to be honest they didnt seem to overly bothered! Human error apprerently! Great…….restores all faith!

  6. and how do you think we DO know about them shuffling them out? because they are friends IRL. I can name 5 off the top of my head and one who was paid off despite quite terrible misdeeds against the company.

    if you hear the same story from quite a few trusted sources you tend to believe it rather than the bullshit spouted by the hardcore crew of hilary, mark et al. if you’re sane that is.

  7. I have deleted a comment which at first I approved, because I then thought better of it. As a rule, I only delete spam or abuse and will publish all other comments. I have not refused to publish any positive comments in support of Lush (few though they have been). The reason I decided to delete the comment was because it referred to a Constantine’s behaviour in his personal life rather than in a work context. Although I am using this blog to give a platform to concerns about Lush’s behaviour as a company, I do not think this is the place to make accusations about people’s personal lives and poor moral choices. Even though I have heard similar accusations about that particular Constantine from several unrelated sources and therefore believe them to be based in truth, I do not want this blog to be used for allegations about people’s personal lives. If the allegations are true, and I believe them to be, the truth will come out eventually anyway – it always does. Please let’s just use this blog for discussing the behaviour of Lush as it relates to staff and customers, products and employment practices, not for outing personal sins.

  8. I had my card details stolen in 2010 during the Lush Website Hack – I was upset, and angry, but forgave Lush – This had happened with Amazon, it happened with Paypal – I saw it as a one-off and directed my anger at the hackers. We were told lessons had been learnt, I got my stolen money back and thought that would be the end of the matter.

    A few months later, we had the secret@lush incident, myself and hundreds of others had our email addresses sent to each other – at the time, I rationalised (like some of the others), that “Thank god it was only other forum members” – at that stage, I was still very much blinded with Lush Love and believed that it was a friend making a monumental cock-up – friends makes mistakes, and you can forgive your friends, not a multinational company, and Lush was our friend (I know, stupid, right? But that’s how a lot of people felt about Lush). We received grovelling apologies, explanations and further assurances that lessons had been learnt…

    After over a year of avoiding signing up of giving my details to Lush, a new store had opened in 2012, which was local to me, so I signed up to their mailing list. Just a few months later, in late April, I received my first marketing emailer from one the store – unfortunately, I also received the names and email addresses of every other person on the mailing list. I emailed the store to notify them of the error – No response, no apology, no acknowledgement, no attempt to recall the message – thank god there was no assurances of lessons had been learnt, because to compound it all with lies would have made the situation much, much worse.

    I simply have had enough – I cannot trust Lush with any of my information, they haven’t learnt their lesson, they are still slapdash with people’s personal information – so I sent the offending emails to the Information Commissioner and submitted a formal complaint.

    Lush’s customers, their fans, their online forum had been telling them for years about this problem (and many others, which go on without a viable solution), and Lush are simply refusing to listen. I am glad that this blog is here, because the issues raised have been stuff that Lush know about and customers have been trying to tell them for years, and all that we get is lip service – but no action, and no guarantees that they have been taking notice.

    If they won’t listen to their customers – then we have to find other ways to make them listen!

  9. After the hacking incident all managers received PCI and data security training. This was a 3 hour training session which we all had to travel up to London for and basically involved sitting listening to some dreary girl telling us all to lock our personnel files in the safe (safes not big enough and can be accessed by about 8 people so therefore not secure) and to never ever ever ever touch a customers credit card. That was basically it. We all got given a big form to read and sign to say that we understood it (even tho the girl training us didn’t seem to understand it either) and we then had to convey the information back to our staff and get them to sign to say that they understood too. Therefore Lush have told the managersband it’s down to the staff to take responsibility for Lush’s actions again.

    In the shops all the customers credit card slips – even those with numbers on if they were ones that were signed – were to be treated exactly the same as before the hacking incident. They were kept with all the till receipts, placed in an envelope with the date and shop number written on the envelope. The envelope couldn’t be sealed – especially at Christmas when there were too many receipts for the envelope to contain, in fact we were told not to seal them as they might need to be looked at. These envelopes were kept in a box in the staff/office area, accessible to all and sundry and then, as always, were sent back to the accounts department by royal mail in an archive envelope in what is called the ‘end of month pack’. These then get filed and looked at if there is a problem with the shops sales figures etc.

    We asked if all shops could be issued with a strong box that only the manager could have a key for so that all this information could be kept safe. We’re still waiting. I don’t suppose it will ever happen as Lush just don’t care enough. I hope they do get caught and fined as it is the only way that they will ever learn that they are not above the law, it DOES apply to them and that no one’s teflon coated, even them.

  10. Curious comment about the strong box. I work in another store, we didnt have one and were ordered a full lockable filing cabinet without asking. I have also been working in another store recently who also didnt have one, but we were told to buy one asap. I think you need to follow up on that as I dont believe in this instance it is Lush at fault. At least in regards to the lock box…

  11. How can Lush not be at fault? Surely it’s the company’s responsibility to make sure shops have the facilities they need and the staff are trained on appropriate procedures? Why didn’t the shops you mention have a strong box? How long had they been open without a secure storage area?

  12. Someone on the Lush forum has just posted “All of the above: the methods described regarding storing the data are exactly what happened up untill September 2011 (I left then so don’t know anymore).

    I continued to work for Lush as a manager for 9 months after the hacking. I was never invited anywhere for a training session on this during that time…… So I wonder when it was?

    As for not sealing the envelopes we used to be told it was because head office reused them.”

  13. Surely it is the company’s responsibility to ensure that the information is secure – I wouldn’t expect to work in a pub and then be told to buy the glasses!

  14. And why am I not surprised . Oh maybe because when I called up on the perfume round and I was talking on. the mobile on way to work and he member of staff said are your last number xxxx and said yes . confirm last 3 numbers and I said yes thats right . Got off the phone and realised all card details were on there computer even the cvv are saved .only had to confirm last numbers on card means only one thing. Card changed not using for lush shopping no more . So all the hassle people had after Xmas this year with there cards charging after December lush knew what they were doing . But even copying the cvv number is wrong on every level.i have contacted my bank as the fraud squad did contact me and send a new card during the original data web hack the previous time .and i have today asked them to look into this further as the company are clearly at fault and not keeping security maxed far not impressed at all .lush have learnt nothing from this .nothing at all .i don’t trust them to not to get hacked again as there systems are clearly wide open for anyone to pop in and much for the promises of it never going to be a problem in future.and i sure as heck will pay cash if i do shop inshore in future .seriously sloppy security .in store and online.and via mail order.just my feelings posted but I’m evidently not alone .great blog posts as well.

  15. In my experience, we have been trained which is why it confuses me a little when others say we haven’t been. I think what needs to be looked at is the follow up from head office to make sure it is being done, iyswim? Our lock box came as a consequence of the hacking debacle. The other shop mentioned, I couldn’t tell you why they didn’t have one from then too, as like I say, I was only there in passing. I just know it was something we implemented very quickly. But again, that comes of the follow up, rather than the initial training. I have no problem buying the equipment needed, and we did. But its making sure the whole company follow suit.

  16. (And please do not get me wrong, I may work for the company but it does not mean I am blind to what they do try and get away with. I just wanted to correct something that did not seem quite right in my experience.)

  17. Your locked box came after the hacking debacle, but why wasn’t there one already there? Lush were at fault for not providing secure storage from the day the shop was opened. Why were staff only given training after the website was hacked? Why weren’t they trained in their first weeks of starting the job? And why was the training so inadequate? Lush are failing in every respect.

  18. In late February this year I had a chunk of money come out of my bank account for Lush Mail Order. I hadn’t purchased anything from Lush Mail Order since December 2012 (when I ordered Christmas presents). Confused, I called up Mail Order who confirmed I hadn’t made an order since December and confirmed the payment was for that order, as it had not come out in December. They didn’t know why, I was never ever given a satisfactory response. They were actually rather evasive and rude to me. Now I had received the goods and therefore owed the money, fair enough, and I understand payments can come out a week or so after the transaction. But months?! If Lush did their accounting properly, they would have known this money was owing (I was one of many apparently) but they didn’t think to tell customers this was the case. I paid for it on debit card and my account is always good, there was no reason from my end for it to happen, the fault WAS entirely with Lush to my mind. Being Christmas, I hadn’t noticed that it didn’t come out at the time I just presumed that a normal retailer would take the money when you handed the card details over, but Lush aren’t really a normal company are they? They seem to sidestep normal procedure.

    At the time I saw on the forum that it had happened to other people. Lush’s Ethics Director – Hilary Jones responded in her usual patronising manner. She said the following (which can still be found on the International Forum):

    “As I said, we do not keep any details on our system – they are typed straight into a handset that belongs, and is linked via phone line, to the credit card company. For us to be able to re-take a payment, we would have to phone the customer and ask them to read the number to us again, so we could type it into the hand set again”

    Well, nobody had called or contacted me, and it was months since I originally called to make my order. I was very very worried and the people I spoke to at Lush were really very unhelpful and I felt rather rude. So naturally, I rang my bank to ask them about it. Like I say, I had no problem with the money being taken, I owed it, but how had they processed this transaction several months later? My bank said they were confused – the money had not been ‘pending’ out of my account for months, but it had been freshly taken in the February. That’s right, there had been no PENDING payment, as would usually be the case in a delay between processing transaction and money leaving the account. The bank told me that the payment had ONLY been processed in the past few days. As I say, no one had called me up to tell me this, or re-take details. Now I originally called Mail Order to make my December purchases (I didn’t go through the website) so had they kept my details somewhere? They must have. My bank thought they had and advised me to call the police as they felt there were data protection issues at hand. I still haven’t plucked up the courage to do this as I am scared of Lush, maybe I will do now?

    I did receive a call from their customer care department to talk about the issue; they read some standard response off a piece of paper and offered to send me a box of products. Silence products?

    Incidentally, with the big Lush website of 2010, I never used the website (only ever rang up MO on a rare occasion) but I was a victim of internet fraud (for the first & only time) in December 2010. Again, I have no idea how anyone got hold of my card details but I feel it was one hell of a coincidence.

    I have no faith that my details were ever safe with Lush Mail Order. This was my genuine customer experience.

  19. I left Lush around a year after the hacking and there was no strong box provided in this time, tho they may have finally got their act together now and provided them. After the training I asked if I could buy a box and was told that it was not necessary and that my shop didn’t really have the budget for it. In my head office position I visited around 15 shops and none of them had a strong box. Most lush staff room/offices wouldn’t be big enough to accommodate one anyway. In some of the shops I visited the paperwork was all over the place, with card receipts spilling out of envelopes in full view of all staff and customers too if they did not close the door between the shop and the staff area which many didn’t.

  20. I cannot and would not presume to speak for Lush. I just wanted to put my little bit of experience across.

  21. Lush, on their facebook page and on the IF, are categorically denying that any of their receipts show the full card number. Strange that commenters here and on the IF disagree.

  22. My experience of having worked at Lush (for a fairly long time, in a few different positions) is that they look after number 1. If they can ignore a problem they will, if they can’t, they will try to throw money at it to make it go away, and also spin it to their advantage. It’s a mixture of pure laziness, lack of experience, stupidity and arrogance. I also believe that they also see things like not having proper legal employment procedures as something akin to ‘sticking it to the man’ – if they don’t have to do something properly, or they won’t get found out, they find utter childish delight in dodging it. I believe this is, in part, due to the owner’s belief that he runs a glorified corner shop and that as a privately owned firm, they are not accountable. If Lush doesn’t stand to profit from it, or believe it’s one or two ‘troublemakers’, they will not take notice. Want proof? Look at the continued ignored customer pleas over the years, look at the results of the web hack, look at the upheld ASA complaints, look at how the owner (“BIG” aka Mark Constantine) used to speak to his customers on his own forum (and when he didn’t like it, or couldn’t handle it, he ran away with his tail between his legs). It’s all out there for anyone and everyone to see. Google a few choice words and you can see it all in black & white.

  23. I have been uhmming and ahhing about writing here, i am a very scared member of staff. i want to say as far as a locked box or whatever goes we have NEVER had one and still use envelopes kept in the back room. i have worked in a few stores and i have never been told about the locked box so it cant just be my current store. also if you believe anything changed after the hacking crisis, you would be kidding yourself

    • Everything posted here is anonymous and I won’t be publishing the emails of the commenters. In fact, once the comment is approved for publication, I’m so technically inept I’m not even sure how to go back and find it out. So don’t worry about that. You’re welcome to comment on any of the Bullshit posts

  24. Pingback: The Smell of Bullshit: the comments post | Mitherings from Morningside

  25. Pingback: The Smell of Bullshit, part 33: more data protection concerns | Mitherings from Morningside

  26. Pingback: The Smell of Bullshit, part 37: when was the Lush retail site REALLY hacked? | Mitherings from Morningside

  27. Karl from Lush has posted on the forum today saying “Hi

    Forgive me I can’t remember who said it but someone was saying that Mark Constantine was not a Trichologist so I wanted to clear that up.

    Mark very kindly dug out his certificate to confirm that he passed his final Institute of Trichologists Incorporated examinations on 27/6/77.

    If I was more technically savy I would post a photo of the certificate but as it stands you will have to visit me to see it!

    which appears to clear that up.

    • So in 6 months Karl Bygrave, shareholder, has not managed to find anyone who works for Lush that can scan in a copy of a certificate and post it on the forum? No wonder data protection is so bad, they are clearly all incompetent and not capable of running a bath, let alone a multi-million pound international company.

  28. Pingback: The Smell of Bullsht, part 43: more more data protection issues | Mitherings from Morningside

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s