After a decade and a half and thousands of dollars spent, Ulta lost my business. For years, Ulta impressed me with its unique combination of products. Having drugstore, prestige, and salon all in one place is great! It was convenient and felt like a more inclusive place to shop. It wasn’t intimidating to my younger self the same way Sephora and beauty counters were.
I’ve been a member of their Ultamate Rewards program since 2008. Unfortunately, though, Ulta lost my business due to a critical security issue. You should reconsider whether you do business with them, as well.
Weird Activity
Like many, my beauty spending tapered off in 2020. I wasn’t going through product at the same rate. Add that to the amount of uncertainty in the world, I was being judicious and cautious with nonessential spending. I expected my rewards tiers at both Sephora and Ulta to lapse. So, imagine my surprise when I got an email from Ulta suggesting I had more points than I expected.
Compromised?
Fortunately, my web account was safe! The mystery transactions were from a store nearby. The purchases were not things I would buy or that aligned with my buying history. Points I earned previously were redeemed in store by someone…who is not me.
I contacted Customer Service, but all they did was refund the spent points. They didn’t investigate further. They didn’t issue me a new account, or anything. I let it go for a while. I kept seeing additional activity, though, and grew increasingly uncomfortable with it. Logging into my Ultamate Rewards account one day revealed an address update that I had not made. It still wasn’t due to a web compromise, yet again. Whoever was doing this updated the address on my account in store with a cashier.
WTF? How?
Like many loyalty programs, Ulta is flawed. To redeem points you don’t need to do any sort of validation. You don’t have to enter a redemption PIN or provide ID. (It is important to note that those points are currency equivalents, used for dollars off of purchases.) They also do not require that you verify any information to make updates to your account in store.
The update gave me information to research with. I discovered that there is someone in my county with my same first and last name, with a different middle initial, at the address in question. Go figure. That tells me a LOT about what happened, though!
What Happened?
Allow me to reconstruct how this happens:
My (almost) name doppelganger goes to shop in an Ulta store. (Even prior to the pandemic, I was primarily an online shopper.) When she goes to check out, they ask if she has an account (she doesn’t), but they offer to look it up by last name. So they enter our last name in their system. Then this exchange occurs:
Cashier: “<First name?>”
Mystery Person: “Yep!”
–and that’s that. This is frustrating. If you’ve ever worked for a place that has systems like this, you know you should confirm other info, like their address. Why? Because last names aren’t uncommon.
Taking Matters into My Own Hands
Frustrated, I reasoned that updating my first name on my account to be <First Middle> might help alleviate confusion since Ulta seemed unable or unwilling to provide some other manner of protection.
I updated my address information back to my correct info but found myself unable to update my name. I reached out to customer service via chat once more. Same story, no help. I pressed, however, because the security implications of this are objectionable to me in a major way.
The chat agent then directed me to a supposedly-escalated queue handled by email. I waited days for a reply.
Getting Nowhere
They wanted me to go in store to update it. Nevermind that the store wouldn’t verify that the information is legitimate which is not comforting. I explained that, because of the ongoing pandemic, I am not going to non-essential places but offered to provide ID documentation to validate my ownership of the account and confirm my real name.
They elected to be a broken record. Inflexibility of policy, particularly a policy that is already weak on security and values neither customer data nor loyalty, does not constitute absolutely have to, to me. They offered no reassurance whatsoever.
Poor Customer Experience
I’ve worked customer service roles. I understand that sometimes there is a script, so I do not hold this against the reps in question. I do, however, hold Ulta accountable for their refusal to empower their reps to think critically about a situation. Why aren’t supervisors trusted to assess whether the script and normal application of policy is universally appropriate?
Ulta also refused to commit to a review of the policy. They refused to relay suggestions of how to improve and secure this experience. Even if I went through the hassle of going to my local store, there’s no assurance that this wouldn’t recur due to their lack validation. My day job is in IT, a field in which I’ve worked for a decade+. I have to deal with personal data privacy every day, so I take these things seriously.
My complaint here is fundamentally related to data privacy. Someone I have not authorized is gaining access to, “assets,” of mine due to inadequate verification procedures. I can’t go to the bank, tell them I’m Jane Doe, and withdraw Jane Doe’s assets, can I?
The Bottom Line
Ulta demonstrated that they do not care about multiple things. They don’t care about their procedures upholding the integrity of their loyalty program. They don’t care how that impacts customers. As such, Ulta has lost my business. I will shop with competitiors, even if that means spending a little more and risking inconvenience. That is how serious this is to me, and how serious I’d hope it is for some of you. I will not shop with them unless this is remedied.
Is it overreacting? No. Information security is important. Not allowing access to a currency equivalent that belongs to someone else is important. What value is a loyalty program to me if someone else can spend the benefits I earn? These processes matter. Customer Service matters.
Since expressing sincere concern through the proper channels went nowhere, the only things left to do is:
- take my business elsewhere and
- share my experience so others can decide if they want to continue their relationship with Ulta
This isn’t just about me. Ulta lost my business not only because of that, but because if they don’t care about 15+ year customers who has spent $1000s there, then they do not care about any of their customers. My advice? It’s nothing new: vote with your dollars. Shop somewhere that is not as careless with their processes or your information.