I received an email today from a Lush customer (as always, anyone wishing to email anything to this blog should use southside socialist at hotmail dot co dot uk). That email included copies of email correspondence between the customer and Lush, in which you can see that yet again Lush are sending out group emails in which every recipient can see the email addresses of everybody else it went to. Lush have apologised for this numerous times before but they keep on doing it. I’ve blogged about it here and other people have mentioned it in comments here.
The email from the customer to me says
Hi SouthsideSocialist,
Thought you might be interested in putting this on your blog, although I would appreciate it if you kept my name anonymous. I’ve been product testing for Lush for a number of years, but have recently stopped due to their cavalier attitude to data protection. The e-mails below explain it all (I’ve left the original e-mail, together with all the e-mail addresses on it, so you can see exactly how bad this was – obviously I trust you won’t post the addresses online!). I’ve actually not contacted the IOC yet as I’ve been a bit busy (and really ill with the ‘flu!), but it’s still on my list of things to do. And no, I didn’t receive confirmation of my details being removed following my last e-mail on 1st September (no surprise there then).
Hope you’re well,
Customer
So, here are the emails, in chronological order. I’m removing the email addresses and the names.
From Lush (this email is addressed to approx 40 people, all of the email addresses are visible) 22/08/2013
Good Afternoon,
Please see attached the response forms for the products that should be arriving with you shortly.
Enjoy your long weekend.
Regards
From the Customer to Lush 24/08/2013
Wow, just wow. Have you heard of the Data Protection Act at all? You should be using the BCC field so that the e-mail addresses aren’t visible to all the recipients.
Absolutely livid.
From the Customer to Lush 24/08/2013
Can you please ensure that X, whoever he or she is, is suitably chastised about this? I copied it to Y but the mail has been returned undelivered (has she left?!). I’m absolutely furious about this, I’m very cautious about giving out my e-mail address and the last time it was included on a mass mail it somehow found its way onto another mass mail, and then another and I ended up having to change the damn thing.
From the Customer to Lush 2/08/2013
Further to my earlier e-mail, if I am unsatisfied with your response I will be putting in a complaint with the IOC.
From Lush to the Customer 28/08/2013
Dear Customer
Thank you for your reply, please excuse the delay in mine. I’m very sorry to learn of your disappointment regarding the error made by myself when sending a group email, which exposed your email address. Please accept my sincere apologies.
Customer privacy is the utmost importance to us and please be assured that the appropriate measures will be taken so that an incidence like this will not reoccur. We really value your contribution as a Lush tester and all future emails will be sent using the “BCC” function to ensure your email does not get listed again.
Once again I apologise for the inconvenience this has caused you, I hope that you continue to be a Lush product tester. If you have any further questions or concerns please do not hesitate to get back in touch.
Kind regards,
From the Customer to Lush 01/09/2013
Thank you for your response and your assurances that an incident such as this won’t reoccur. However I’m afraid you lack credibility. Unfortunately for you I am in touch with other product testers, and I have been reliably informed that there was a previous leak of information at the beginning of August. You sent out an e-mail (dated 8th August) to 80 people which had the e-mail addresses all clearly visible in the ‘To’ field. So, for you to assure me that this won’t happen again when this is already the second occurrence is frankly laughable. I would be grateful if you would remove my name and details from the product testing database, and I will be putting in a complaint to the Information Commissioner’s Office this week.
I blogged about this happening before in May of this year. In that post, I mentioned the same sort of thing happening in August 2011. Two years on and several incidents later, they’re still utterly fucking incompetent.
Mitherings from Morningside 
Not surprised at all. Sheer incompetence.
I know people from Lush are reading this, although given the company’s IT incompetence, I do not understand how they manage to find any website without being talked through it by an extremely patient nine year old.
Look, Lush. Go through your email system looking at all your mailing lists. For every mailing list that contains an email address external to Lush, move the email addresses from To to Bcc, then save it. It’s not difficult, if you care the teeniest bit about data protection law and doing what you’re supposed to do. I really hope the Information Commissioner hits you with the biggest fine ever, because you’d have to have the brainpower of a three day dead amoeba to not be able to do it, but you consistently manage to fuck it up.
‘Sorry to learn of your disappointment’?! Disappointment!!!! What a beautiful turn of phrase to use in relation to a breach of data security.
They’re not ‘sorry’ at all.
Sooner or later, though, the owners of Lush will end up on their bones of their arses, with nothing but mountains of legal bills to pay for failed attempts to defend themselves against charges laid against them by an outraged public. May it come sooner, rather than later.
I started reading your Lush related posts after seeing a link on the IF, that I had left quite a while ago due to all this shit going on (I’ve worked for Lush, too, so I have quite a lot on my plate concerning them) and only came back because they fucked up with privacy and I wanted to know if something like that had happened to someone else than me and they had said it on the IF. That’s when I found out about all the shit going on now. It just keeps getting worse.
But well, I am writing this right now to say that they are at fault with privacy on another level and maybe it’s useful information for you, I don’t know. I didn’t want to put it on the IF because of the atmosphere there but then, there will be a track anyway.
I got an email from orders@lush.co.uk full of the personal data of another customer to which they thought they were replying to, concerning an order he made with a refused payment.
I emailed them to know if that was just an error or hacking again, they assured me that it was only human error due to the similarity of my email and the other customer’s email. I was utterly pissed knowing that my email, besides the fact that it is on a completely different domain, probably only has the letter L in common with the other, and that the poor excuse was just taking me for a fool.
I was also really horrified to see that my email was registered in some staff employee’s email software, for it to be used so automatically.
There wasn’t a way the mistake could have been unseen, very different email addresses, very different names, I don’t understand.
I can understand human error, but coming from Lush, it always takes a new dimension.
Right now I am pondering taking it further, because, really, this could be nothing, and I am not one for procedures, but this is Lush, and this is done with a heavy background.
What do you think?
I can’t think of any reason at all why you shouldn’t report this to the information commissioner. Lush appear to be utterly cavalier regarding data protection and they never seem to appreciate the seriousness of their responsibilities. Perhaps intervention from the information commissioner would make a difference.
Thanks, I will take it further after thinking about it. If that was the other way around, someone would have my complete informations and personal data, and could make bad use of it so…