I received an email today from a Lush customer (as always, anyone wishing to email anything to this blog should use southside socialist at hotmail dot co dot uk). That email included copies of email correspondence between the customer and Lush, in which you can see that yet again Lush are sending out group emails in which every recipient can see the email addresses of everybody else it went to. Lush have apologised for this numerous times before but they keep on doing it. I’ve blogged about it here and other people have mentioned it in comments here.
The email from the customer to me says
Thought you might be interested in putting this on your blog, although I would appreciate it if you kept my name anonymous. I’ve been product testing for Lush for a number of years, but have recently stopped due to their cavalier attitude to data protection. The e-mails below explain it all (I’ve left the original e-mail, together with all the e-mail addresses on it, so you can see exactly how bad this was – obviously I trust you won’t post the addresses online!). I’ve actually not contacted the IOC yet as I’ve been a bit busy (and really ill with the ‘flu!), but it’s still on my list of things to do. And no, I didn’t receive confirmation of my details being removed following my last e-mail on 1st September (no surprise there then).
Hope you’re well,
So, here are the emails, in chronological order. I’m removing the email addresses and the names.
From Lush (this email is addressed to approx 40 people, all of the email addresses are visible) 22/08/2013
Please see attached the response forms for the products that should be arriving with you shortly.
Enjoy your long weekend.
From the Customer to Lush 24/08/2013
Wow, just wow. Have you heard of the Data Protection Act at all? You should be using the BCC field so that the e-mail addresses aren’t visible to all the recipients.
From the Customer to Lush 24/08/2013
Can you please ensure that X, whoever he or she is, is suitably chastised about this? I copied it to Y but the mail has been returned undelivered (has she left?!). I’m absolutely furious about this, I’m very cautious about giving out my e-mail address and the last time it was included on a mass mail it somehow found its way onto another mass mail, and then another and I ended up having to change the damn thing.
From the Customer to Lush 2/08/2013
Further to my earlier e-mail, if I am unsatisfied with your response I will be putting in a complaint with the IOC.
From Lush to the Customer 28/08/2013
Thank you for your reply, please excuse the delay in mine. I’m very sorry to learn of your disappointment regarding the error made by myself when sending a group email, which exposed your email address. Please accept my sincere apologies.
Customer privacy is the utmost importance to us and please be assured that the appropriate measures will be taken so that an incidence like this will not reoccur. We really value your contribution as a Lush tester and all future emails will be sent using the “BCC” function to ensure your email does not get listed again.
Once again I apologise for the inconvenience this has caused you, I hope that you continue to be a Lush product tester. If you have any further questions or concerns please do not hesitate to get back in touch.
From the Customer to Lush 01/09/2013
Thank you for your response and your assurances that an incident such as this won’t reoccur. However I’m afraid you lack credibility. Unfortunately for you I am in touch with other product testers, and I have been reliably informed that there was a previous leak of information at the beginning of August. You sent out an e-mail (dated 8th August) to 80 people which had the e-mail addresses all clearly visible in the ‘To’ field. So, for you to assure me that this won’t happen again when this is already the second occurrence is frankly laughable. I would be grateful if you would remove my name and details from the product testing database, and I will be putting in a complaint to the Information Commissioner’s Office this week.
I blogged about this happening before in May of this year. In that post, I mentioned the same sort of thing happening in August 2011. Two years on and several incidents later, they’re still utterly fucking incompetent.