Updated British newsagent WHSmith has a major privacy hole on its website, after its magazine subscription service began emailing everyone on the mailing list.
The data protection howler has been flagged up on Twitter by plenty of angry customers who fear having their personal information plundered by wrongdoers.
However, despite the noisy protests, WHSmith was yet to release a public statement about the blunder.
At time of publication, it had failed to respond to a single tweet about the cockup.
WHSmith's internal PR could not be reached by The Register this morning.
We've heard that a mysterious third party that helped to organise magazine subscriptions has been blamed for the gaffe, which WHSmith appears to be unsurprisingly keen to play down.
WHSmith data blunder: One sample of the leaky data. Hat tip to reader Jonathan Dix for the screen grab
However, the UK's data watchdog may see things differently.
El Reg has contacted the Information Commissioner's Office for comment and provided the regulator with details of the data spaff.
Unfortunate that every time someone emails @WHSmith about magazine subscriptions it's going to *everyone* on the database. Details too.— Jono Read (@jonoread) September 2, 2015
People - stop using the #whsmith contact form to complain about your details being passed on. That's how they're being passed on!— Lynn Schreiber (@LynnCSchreiber) September 2, 2015
We'll update this story once we know more. ®
WHSmith finally coughed up a statement after publication of this story. It said:
We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach.
We believe that this has impacted fewer than 40 customers who left a message on the "Contact Us" page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error.
I-subscribe have immediately taken down their "Contact Us" online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error.
We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.
WHSmith did not reveal whether it had turned itself in to the ICO, however.
A spokesman at the ICO confirmed to the Reg that the watchdog was "making enquiries" about the WHSmith incident.