A problem with a form on the UK retailer WHSmith’s website is resulting in masses of spam email and customer details being indiscriminately sent out to anyone who enquires about magazine subscriptions.
Of course, being the sort of patient, calm nation that the UK is, almost no one took to Twitter to complain. Oh, wait, yes they did. Loads of them.
— Jonathan Hewett (@jonhew) September 2, 2015
— Charlie (@CharlieGrant) September 2, 2015
@WHSmith super, you've sent me over 100 people's personal details, awesome, so who's got mine?!?! 👌
— Jamie Skuse (@jskuse89) September 2, 2015
Unfortunate that every time someone emails @WHSmith about magazine subscriptions it's going to *everyone* on the database. Details too.
— Jono Read (@jonoread) September 2, 2015
Unfortunately, the company is refusing to publicly acknowledge the error so far and hasn’t confirmed what details are being sent out to other users – specifically, whether it’s names and addresses, or whether it includes any sort of payment details too.
We’d expect an error like this to be sorted pretty quickly, but a nationally recognized company like WHSmith really should be more careful with the way in which it handles data in the first place; it’s impossible to put data ‘back in the bottle’ once it has leaked.
We’ve asked WHSmith for a statement and will update when we hear back.
Update: We still haven’t had a response from WHSmith, but the company told The Register that:
We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach.
We believe that this has impacted fewer than 40 customers who left a message on the “Contact Us” page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error.
I-subscribe have immediately taken down their “Contact Us” online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error.
We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.
Update 2: The issue has apparently been resolved, according to the company’s official Twitter account.
We can confirm that the issue with the contact form on the WHS Magazines site is resolved. More details here: http://t.co/RY0VhkZncs
— WHSmith (@WHSmith) September 2, 2015