BBC America Shop customer orders leaked

Over the weekend, I received an e-mail from a BBC America Shop customer revealing that the site was leaking customers’ order information – names, billing and shipping addresses, phone numbers, item number ordered, and e-mail addresses.  The exposed orders had been placed between June 10 of this year and that day. No credit card information was exposed and the records did not appear to have been cached in Google.

The customer tells that he became aware of a breach after he started receiving unwanted e-mail and searched Google for his name, which took him to a link to his order.  By simple url manipulation, he could see other customers’ data, too.  He started e-mailing other customers to alert them that their information was exposed and also contacted this site. contacted BBC America Shop’s call center by phone to alert them to the exposure. Two hours later, the subdomain where the database had been available was no longer accessible.

Shortly thereafter, I received an e-mail from Interactive Partners, the firm that develops and maintains BBC America Shop’s web site, thanking me for the heads up.   I’m hoping that they will provide some additional details as to how the breach occurred and when it occurred, but they were still investigating the incident when I last heard from them Saturday night. It is not known to me at this time whether they or BBC America Shop intends to e-mail all affected customers.

I’ve occasionally blogged about how frustrating it can be to try to alert an entity to a breach.  This wasn’t one of those cases. In this case, when I went through the 800 customer service number and explained the situation, the call center representative transferred my call to someone who appreciated the need to relay the information promptly after I walked her through how to see all the customer data in her browser.

Never one to miss an opportunity, however, I will use this entry as a chance to remind you:  if your business (or your client) uses a call center for customer service – or even if you handle calls internally – make sure that everyone understands what to do if someone calls in to report a data or security leak.  It can save you (and the caller!) a lot of time and potential grief.

And if you have a breach to report, you can e-mail this site at breaches[at]  I can’t promise I’ll be able to help, but I usually try.


About the author: Dissent

Comments are closed.