This article is more than 1 year old

OH DEAR, WHSmith: Sensitive customer data spaffed to world+dog

Magazine form emails EVERYONE on mailing list

Updated British newsagent WHSmith has a major privacy hole on its website, after its magazine subscription service began emailing everyone on the mailing list.

The data protection howler has been flagged up on Twitter by plenty of angry customers who fear having their personal information plundered by wrongdoers.

However, despite the noisy protests, WHSmith was yet to release a public statement about the blunder.

At time of publication, it had failed to respond to a single tweet about the cockup.

WHSmith's internal PR could not be reached by The Register this morning.

We've heard that a mysterious third party that helped to organise magazine subscriptions has been blamed for the gaffe, which WHSmith appears to be unsurprisingly keen to play down.

WHSmith data howler

WHSmith data blunder: One sample of the leaky data. Hat tip to reader Jonathan Dix for the screen grab

However, the UK's data watchdog may see things differently.

El Reg has contacted the Information Commissioner's Office for comment and provided the regulator with details of the data spaff.

We'll update this story once we know more. ®

Update

WHSmith finally coughed up a statement after publication of this story. It said:

We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach.

We believe that this has impacted fewer than 40 customers who left a message on the "Contact Us" page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error.

I-subscribe have immediately taken down their "Contact Us" online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error.

We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.

WHSmith did not reveal whether it had turned itself in to the ICO, however.

Update 2

A spokesman at the ICO confirmed to the Reg that the watchdog was "making enquiries" about the WHSmith incident.

More about

TIP US OFF

Send us news


Other stories you might like