A problem with a form on the UK retailer WHSmith’s website is resulting in masses of spam email and customer details being indiscriminately sent out to anyone who enquires about magazine subscriptions.
Of course, being the sort of patient, calm nation that the UK is, almost no one took to Twitter to complain. Oh, wait, yes they did. Loads of them.
Sounds like a problem with @WHSmith IT, emailing customers’ contact details to other customers. See @WHSmith mentions… #data #dataprotection
— Jonathan Hewett (@jonhew) September 2, 2015
@WHSmith why are you not addressing the data breach? I've received a variety of emails from people using your online form! #dataprotection
— John Newman (@acidbleeps) September 2, 2015
I am loving the WHSmiths hack right now. Feel like I've gained loads of new mates, without the drama of meeting them. #goturnumber @WHSmith
— Charlie Grant (@CharlieGrant) September 2, 2015
https://twitter.com/jskuse89/status/638990532161720320
https://twitter.com/jonoread/status/638987183739785216
Unfortunately, the company is refusing to publicly acknowledge the error so far and hasn’t confirmed what details are being sent out to other users – specifically, whether it’s names and addresses, or whether it includes any sort of payment details too.
We’d expect an error like this to be sorted pretty quickly, but a nationally recognized company like WHSmith really should be more careful with the way in which it handles data in the first place; it’s impossible to put data ‘back in the bottle’ once it has leaked.
We’ve asked WHSmith for a statement and will update when we hear back.
Update: We still haven’t had a response from WHSmith, but the company told The Register that:
We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach.
We believe that this has impacted fewer than 40 customers who left a message on the “Contact Us” page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error.
I-subscribe have immediately taken down their “Contact Us” online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error.
We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.
Update 2: The issue has apparently been resolved, according to the company’s official Twitter account.
We can confirm that the issue with the contact form on the WHS Magazines site is resolved. More details here: http://t.co/RY0VhkZncs
— WHSmith (@WHSmith) September 2, 2015
Get the TNW newsletter
Get the most important tech news in your inbox each week.