Share your contact details with us - and 100s of our customers - says WH Smith

It's Back to School time for WH Smith
It's Back to School time for WH Smith

WH Smith has had to apologise for leaking personal information about its customers to hundreds of other customers in a contact form malfunction.

The breach came to light when customers started posting about it on Twitter.

A report from the Ponemon Institute in December 2014 revealed that businesses in the USA and Europe are struggling to apply the appropriate user privileges when it comes to corporate data.  

Jake Madgwick Lawton tweeted that he'd received emails containing confidential personal information.

Others posted on WH Smith's Facebook page.           

Steph Armitt wrote: “65 emails starting at 00.12 this morning with different customers names, phone numbers and email addresses????? Very irritating......”

Jenny Gallagher complained: “I've had about 16 emails from your customers emailing your company. What is going on??? It's very irritating and I want to know why these emails (with confidential information) are coming to my inbox.”

WH Smith said that the problem was a glitch rather than a security breach. It blamed the problem on a third-party contractor. “We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach. We believe that this has impacted fewer than 40 customers who left a message on the ‘Contact Us' page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error.” The contact page has been taken down, the company said.

Meanwhile, the Information Commissioner has confirmed it is aware of the issue.

Kevin Cunningham, president of SailPoint commented, “Based on the continual news reports of cyber attacks and data breaches, clearly this is the new norm that organisations have to counteract or they risk a significant impact to their bottom-line as well as customer loyalty.”

Orlando Scott-Cowley, cyber-security expert at Mimecast, said he's analysed the situation: “Exposing customer emails addresses and phone numbers is not only embarrassing but can seriously increase the risk of targeted phishing attacks. Regulators take a very dim view of personal information leaks. This incident is a reminder that complex IT systems need extremely careful management and appropriate data leak prevention strategies.”