Royal Mail customer data leak shutters online Click and Drop
Customers complain of exposed order info, multiple charges — but still no postage
A technical SNAFU shut down the UK's Royal Mail Click and Drop website on Tuesday after a security "issue" allowed some customers to see others' order information.
The data leak started around 13:00 GMT, and according to an alert posted on Click and Drop's status page, Royal Mail shut down the website about an hour later.
In an update posted shortly before 14:00 GMT, the postal service noted:
We have been made aware there was an issue affecting Click & Drop that meant some customers could see other customers' orders. As a protective measure, we have stopped access to Click & Drop temporarily. We fully understand and apologise for the inconvenience caused by this. Our engineers are working as hard as possible to get the site back up and running as expected. Further updates will be posted here as soon as we have more information.
In subsequent alerts, Royal Mail assured customers that its engineers continued to work on a fix, and hoped to have the site back online "as soon as possible." The service, which allows customers to print labels and pay for postage online, and then track packages until they reach their destination, vowed that it was "treating this as the highest priority."
Later, Royal Mail suggested users resort to actual paper "emergency" order forms instead of the online versions. Who even owns a printer these days? Emergency, indeed.
About four hours later, at 18:01 GMT, the postal service marked the issue as "resolved," and the website was up and running. "We apologise for any inconvenience this has caused our customers," Royal Mail said. "The root cause is now under investigation."
On Wednesday, the online service noted "no incidents reported today." However, some customers took to Twitter to say the site still wasn't working, and they had been charged twice but not received any postage label.
- Education tech giant gets an F for security after sensitive info on 40 million users stolen
- Health insurer Medibank's data breach diagnosis keeps getting worse
- TikTok faces $29m fine for 'failing to protect UK kids' privacy'
- Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene
Royal Mail did not immediately respond to The Register's questions about how many customers' data was exposed, or whether the incident was due to a mistake or something more malicious.
As of Tuesday, Royal Mail had not notified the UK's Information Commissioner's Office (ICO), according to Sky News. The postal service has 72 hours after becoming aware of a data breach to notify the consumer privacy watchdog agency, unless the leak doesn't "pose a risk to people's rights and freedoms" an ICO spokesperson told the media outlet.
The ICO didn't immediately respond to The Register's inquiry. ®