Handmade Soap, Dancing Lemmings & Credit Card Fraud
January 23, 2011 5:23 AM   Subscribe

UK cosmetics company Lush cultivates an image of quirky naiveté in its marketing, even when it loses the credit card details of thousands of customers.

Everyone who made a purchase on their site between Oct 4th and Jan 20th is being asked to contact their banks and check for fraudulent use of their cards. So far, so good. But alongside this warning, Lush has also posted an admiring message to the hackers on the front page of their website and tried to cheer themselves up with a wacky video of dancing soft toys on the same day as they issued the fraud warning. Their customers are feeling slightly less upbeat about the whole incident, as evidenced by the comments on their youtube channel.
posted by him (39 comments total) 2 users marked this as a favorite
 
In other news: random person mugged in Huston. Why is this news?
posted by delmoi at 5:39 AM on January 23, 2011


Having walked past Lush stores on numerous occasions, I'm not surprised to learn that their security stinks too.
posted by gman at 5:41 AM on January 23, 2011 [9 favorites]


Having walked past Lush stores on numerous occasions, I'm not surprised to learn that their security stinks too.

Yeah, I pass those stores from time to time here in Tokyo, and the smell is overwhelming. I mean, it's really olfactory pollution, right on a par with noise pollution, as far as I'm concerned. It's really over the top!
posted by flapjax at midnite at 5:50 AM on January 23, 2011 [1 favorite]


A friend of mine worked for Lush and apparently you stop noticing the smell after an hour.
posted by SockyMcPuppet at 5:54 AM on January 23, 2011


In other news: random person mugged in Huston. Why is this news?

Get this: there are online stores in other parts of the world! And sometimes they get hacked, and as such, news stories about said hacking might just interest individuals residing in those parts of the world!
posted by slater at 6:00 AM on January 23, 2011 [1 favorite]


In other news: random person mugged in Huston. Why is this news?

I'll bet the person who got mugged didn't turn around, congratulate the mugger for getting the best of them, and give them a singing teddy bear.
posted by EmpressCallipygos at 6:04 AM on January 23, 2011 [4 favorites]


If somebody got mugged in Huston, I, for one, would want to know about it.
posted by Faint of Butt at 6:12 AM on January 23, 2011


A friend of mine worked for Lush and apparently you stop noticing the smell after an hour

Probably because you're lying dead on the floor with blood streaming from all your facial orifices. Those stores are stank.
posted by elizardbits at 6:33 AM on January 23, 2011 [1 favorite]


In other news: random person mugged in Huston. Why is this news?

OK, try this, and see if it feels more FPP-worthy:
New York City-based cosmetics company Lush cultivates an image of quirky naiveté in its marketing, even when it loses the credit card details of thousands of customers.
posted by kcds at 6:36 AM on January 23, 2011 [17 favorites]


Well, actually, they still seem to have the credit records so they didn't lose them per se.
posted by Bovine Love at 6:36 AM on January 23, 2011 [1 favorite]


I'll bet the person who got mugged didn't turn around, congratulate the mugger for getting the best of them, and give them a singing teddy bear.

Give the guy four months.
posted by graventy at 6:37 AM on January 23, 2011


Perhaps people are irritated that security was breached months ago, and that instead of getting in touch with their affected customers directly, they put a funny video on their website?
posted by jeather at 6:39 AM on January 23, 2011 [1 favorite]


I've long wished that Lush products were made and sold by some other company that wouldn't order its customer service people to give you the full-court press when you come in, or charge $5 for a single bath tablet. A unfairly delicious, addictive bath tablet.
posted by Countess Elena at 6:52 AM on January 23, 2011 [4 favorites]


I don't actually mind Lush's products, but I hate the cutesy voice in their marketing stuff. It's an Ickle Baby Baff Bomb! Isn't that just adorable? Aren't we just the world's most twee woodland sprites? Isn't our twee woodland sprite act simultaneously cute and really rebellious and counter-cultural?

Blech.

(And actually, with a lot of the products, I can't resist the idea that I could make them myself in my kitchen if I were willing to comb the internet for recipes. They maybe do a bit too good a job at the "all natural and homemade" thing. Plus, it's all freakishly expensive.)

But yeah, it doesn't entirely surprise me that they messed up in this particular way. The thing about their marketing voice is that most of their customers think of it as a marketing voice. They don't think it's for real. So when you're dealing with serious stuff, drop the voice and let people know that you take the issue seriously.
posted by craichead at 6:59 AM on January 23, 2011


it's really olfactory pollution

They've sprung up all over Japan, and it's gotten to be pretty unpleasant. My wife and I have gotten to the point where we can tell when there's a new outlet in a mall or department store just by being on the same floor, but never actually seeing it. I feel sorry for the people who work in the neighboring stores, because dear god, what did they do to deserve that?
posted by Ghidorah at 7:01 AM on January 23, 2011 [1 favorite]


A friend of mine worked for Lush and apparently you stop noticing the smell after an hour.

A friend of mine worked in the sewers and he said exactly the same thing.

BTW, isn't it Japan where they have all those speakers on poles screaming advertising at you continuously? I'd have thought that compared with that, the occasional branch of Lush was a doddle. At least you can avoid them.
posted by PeterMcDermott at 7:07 AM on January 23, 2011 [3 favorites]


I think Lush smells awesome.

Also, the fact they they stuck to their 'marketing voice' kinda implies that its more of a genuinely naive voice rather than just a marketing ploy (because anyone with experience of 'marketing' would never have put dancing bears up as a response to being hacked). So thats kind of interesting. Perhaps they really are an international franchise with internal management something like the keystone cops? I like that idea.

Also, credit card fraud happens all the time, its just a fact of modern financial life and the price we pay for convenience. Lush should certainly apologise and have their wrists slapped a bit for being careless, but its not the end of the world.

I look forward to their 'we got hacked, hooray' bath bombs and 'all your suds are belong to us' soap.
posted by memebake at 7:28 AM on January 23, 2011 [11 favorites]


I don't think the fact that it's a UK based cosmetics company is related to the perceived irrelevance of this topic. It's just another stupid online retailer, taking a PR-influenced (and probably ill-advised) response. The bigger story IMO is that PCI compliance is poorly enforced and putting anyone who uses a card online at risk.
posted by polyhedron at 7:31 AM on January 23, 2011


Peter mcdermot, yeah, there's lots of annoying loud speaker stuff here, including shop staff with plastic cones for making themselves even more unpleasant, but that is why headphones were invented. I don't have to actually listen to those artificial high pitched sales voices if I don't want to. On the other hand, the there's really no way to counteract the wall of perfumed stench that wafts out of each and every Lush store.
posted by Ghidorah at 7:57 AM on January 23, 2011


SockyMcPuppet: "A friend of mine worked for Lush and apparently you stop noticing the smell after an hour"

Kinda like old ladies stop smelling their own overdosed perfume after a couple minutes of dumping it on before going to church and inTOXICating the rest... oh, sorry... bitter memories of sitting behind old ladies in church who OD'd on stinky perfume.
posted by symbioid at 8:30 AM on January 23, 2011


Apparently it's just the UK branch (that we all know of) that got hacked. We Americans can go back to rolling our eyes at the irrelevance of other countries now, I guess. (Also, generally, online store hacked, safety compliance bad, film at 11.)

Most exciting Lush news in my part of the world: Lush opened a store here in Austin recently, which means I no longer have to go to San Antonio/Houston/Dallas to get my fix. There is no point in mail ordering the stuff from about March until November, because it'll melt before it gets here. I suspect I'll have to use the same refrigerated bag I have for my groceries to buy soap in the summer from those guys.
posted by immlass at 9:12 AM on January 23, 2011


Oh whatever you guys.
Lush stores smell terrific and their products really are fantastic.
Of course this being a metafilter thread I assume it's only a matter of time before someone posts about the offensiveness of "olfactory policing" and "scent shaming" and how Lush is one of the worst offenders next to the media in general
posted by Senor Cardgage at 9:42 AM on January 23, 2011


You folks complaining about the smell of Lush *clearly* don't have a Yankee Candle shop nearby. My gods...
posted by maryr at 9:57 AM on January 23, 2011 [8 favorites]


I like their liquid shampoos because LUSH is one of the few brands that doesn't give me head-itch (I think I'm allergic to dimethicone). And they smell good. I don't enjoy the stores so much, though, because when all the different smells are mixed up it just stinks.
Also, hipster alarm. I'm scared of young guys with mohawks and nose-rings who want to upsell me on cosmetics. I just run in there, hold my breath, grab the 15-dollar shampoo bottle and get the hell out! I wanted to switch to ordering online, but maybe that's not such a good idea after all...

Any decent alternatives?
posted by The Toad at 10:04 AM on January 23, 2011


I'll bet cancer rates for Lush store workers are considerably increased. You can't breathe that shit day in and day out with it causing problems.
posted by five fresh fish at 10:25 AM on January 23, 2011


Here's the message to the hacker that I'm seeing on Lush UK's website:

TO THE HACKER
If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.


Unless there's an earlier version that Lush has since edited in the wake of customer feedback, this doesn't strike me as "congratulating the mugger for getting the best of them."

(Without having seen the dancing bears yet, I'll grant that while I generally like Lush's sense of whimsy, they may want to dial it back just a scoch. I mean, I like tap dancing, but I don't necessarily want to see it during a press conference in the aftermath of a bank robbery.)
posted by bakerina at 10:56 AM on January 23, 2011 [1 favorite]


God, Lush. When my daughter worked there, the scent left on her clothes would give me a headache for hours. And I like their products! Those poor employees.

Sucks about the site security.
posted by Space Kitty at 11:56 AM on January 23, 2011


If you have a credit card, you should be checking your statements for unauthorized charges on a monthly basis, not waiting for some head-up-its-ass company to tell the world they got hacked.
posted by lefty lucky cat at 11:58 AM on January 23, 2011 [2 favorites]


Countess Elena: "I've long wished that Lush products were made and sold by some other company that wouldn't order its customer service people to give you the full-court press when you come in, or charge $5 for a single bath tablet. A unfairly delicious, addictive bath tablet"

Make your own. (self link to set of illustrated instructions/recipe for bathbombs. Gather some esy to find ingredients, use any mold you have handy, and a half an hour, and you too can have bath bombs.

The Toad: "Any decent alternatives"

There are a lot of suppliers who cater to the boutique manufacturer, but also sell to non-business customers, who carry shampoo bases of various kinds, with a large selection of non-dimethlicone /non-sodium-laurate bases. MeMail me if you'd like some links of suppliers I've tested.
posted by dejah420 at 12:50 PM on January 23, 2011 [3 favorites]


I'll bet the person who got mugged didn't turn around, congratulate the mugger for getting the best of them, and give them a singing teddy bear.

[batmangrowl]YOU DON'T KNOW ME[/batmangrowl]
posted by Sticherbeast at 12:54 PM on January 23, 2011 [1 favorite]


I got half excited because for a brief moment I thought this was another shoegazer/Lush post.

(Note to self: Stop stalking Miki. The 90s are over.)
posted by cazoo at 3:32 PM on January 23, 2011 [4 favorites]


I don't mind Lush stores; in fact I've tried a number of their products out of curiosity. I like trying out cosmetics, what can I say? But their products don't seem to be adjusted for the Japanese market (I haven't really checked... this is just my impression) and none of their soaps or shampoos or creams really did anything for me. So I never ended up going back for a second batch of anything I bought from them, and I find it puzzling that so many branches are opening around Japan. But then, I don't really get the popularity of The Body Shop, either, so what do I know?
posted by misozaki at 9:06 PM on January 23, 2011


A friend of mine worked for Lush and apparently you stop noticing the smell after an hour.

Until one day, when you quit.

And then you can never go into another megamall, ever again, because there's a Lush in there SOMEWHERE and it's all you can smell, seeping sickly sweet into your nose, and you start having flashbacks to that retail hell-time right before Christmas when every parent decided it's a good place to drop the kids off to "play" and then they're splashing water all over the damn place and the squawking chemical-phobes are up in your business having a whinge about parabens or some shit, because clearly that's your decision to make, and someone else is screaming blue murder because they mucked up their hair putting the stupidly named "caca" henna (oh how cute it's named after poop!) over an existing crappy dye job and oh fuck this I'm going to go work a reception desk somewhere.

Or so I've heard.

(Indeed, all retail jobs are this crappy, but most of them don't leave little time bombs of olfactory assault littered around your city.)
posted by jaynewould at 11:09 PM on January 23, 2011


So a company has a server hacked, credit card details are compromised, they follow best practice and inform their customer base, and that's not enough.

I say kudos to Lush. I don't really care for the cutesy stuff either, but the important thing here is that they didn't do what most companies do, and hide the theft. They should be applauded for that.
posted by seanyboy at 4:19 AM on January 24, 2011 [1 favorite]


So a company has a server hacked, credit card details are compromised, they follow best practice and inform their customer base, and that's not enough.

They are being criticized for not informing their customer base right away, or at leastv in a reasonably timely fashion. Seems as as though they let it go for some months before letting people know about it. That's why people are pissed off, and rightly so.

You could wash your hair with no shampoo, just hot water.

Vinegar, man, vinegar. That's where it's at.

Lush stores smell terrific

Clearly, beauty is in the nose of the besmeller.
posted by flapjax at midnite at 4:35 AM on January 24, 2011 [1 favorite]


Seems as as though they let it go for some months before letting people know about it

There was a long time between detecting the site was being attacked and notifying the general public (3-4 weeks), but I can't tell how long there was between knowing when credit card numbers had been compromised and notifying the general public.

No excuses for Lush because 4 weeks is too long, but between the two known points, there's a lot of shit that has to happen.

Point 1: detecting the site was being attacked

Christmas
Knowing that the attack was successful.
Knowing that credit card details had been compromised.
Running it through Legal.
Telling the Police. (Who may need the server kept online)
Getting the web page brought down.

End Point: notifying the general public

I suspect that the issue here was there was a gap between knowing that the server had been hacked, and knowing that the credit card numbers were compromised. I'd be interested in knowing if the credit card numbers of past purchases were taken, or newly entered credit card numbers.

Again - No excuses for how long it took, but I don't think it's as cut and dried as "They knew bad men had credit card numbers and did nothing"
posted by seanyboy at 6:43 AM on January 24, 2011


BTW - Lush. If you're reading this, I'd check all computers that have access to your server. Odds on that the intrusion onto your server is initially via internal paths.
posted by seanyboy at 6:45 AM on January 24, 2011


(Note to self: Stop stalking Miki. The 90s are over.)

She's a sub-editor on TV Times now.
posted by mippy at 2:23 PM on January 24, 2011


From the Grauniad article:

Customers will be unable to make purchases until a new site is launched "in a few days" accepting only PayPal payments

This to me says "lost their merchant account". That's going to sting a lot.
posted by mendel at 6:29 PM on January 24, 2011 [1 favorite]


« Older Call the wahmbulance?   |   Fuck the police Newer »


This thread has been archived and is closed to new comments