UK: WHSmith “bug” spams confidential customer details from “contact us” form

James Temperton reports:

WHSmith‘s website has randomly sent out hundreds of private emails to people on its mailing list.

The issue appears to come from a broken “contact us” form, with anything customers send through the form being erroneously sent to hundreds of WHSmith’s customers.

Details included in the emails include real names, phone numbers, postal addresses and email addresses of people trying to contact WHSmith. One Twitter user said she had received “dozens” of emails with the subject “New Contact Message Submitted”.

Read more on Wired.

The problem appears to have occurred with a separate company, WHSmith Magazines, that manages magazine subscriptions. In a statement to The Guardian, WHSmith wrote:

“We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach. We believe that this has impacted fewer than 40 customers who left a message on the ‘Contact Us’ page where this bug was identified, that has resulted in some customers receiving e mails this morning that have been misdirected in error.

No customer payment card data or passwords were revealed in the incident.  So far, I have seen no explanation of how the bug suddenly appeared, but telling people it’s a “bug, not a data breach” doesn’t change the fact that customer data were exposed.



About the author: Dissent

Comments are closed.