WHSmith mistakenly emails customer details to other customers
IT gaffes don't come much bigger than this. UK newsagent WHSmith has accidentally leaked a wealth of customer information by mass-emailing details that were submitted through a "contact us" form. The affected page is supposed to send customer messages and their contact details directly to WHSmith -- instead, they were reportedly sent to everyone on its mailing list. It's a huge technical blunder, and to make matters worse, some subscribers used the form when they first received the emails, thereby putting their own details into circulation. WHSmith confirmed to the Guardian that the problem was "a bug, not a data breach" and that it was caused by I-subscribe, an external company that manages its magazine subscriptions: "I-subscribe have immediately taken down their 'Contact Us' online form which contains the identified bug, while this is resolved."
Some users are reporting that the broken form hasn't been removed from WHSmith's site, despite it being been hidden from view. The newsagent says the rogue emails have affected less than 40 customers and that it's contacting them now to apologise and explain what happened. Most importantly, customer passwords and payment details weren't included in the emails -- a small silver lining for those that have been affected.
Anyone else getting dozens of emails via @WHSmith contact form ? Including phone numbers pic.twitter.com/960EZYNSSE
— Lynn Schreiber (@LynnCSchreiber) September 2, 2015
[Image Credit: Simon Dawson/Bloomberg via Getty Images]
