WHSmith customers have had private data sent to fellow users of the retailer’s website after a glitch with an online contact form.
Any information typed into the ‘contact us’ form, which now appears to have been removed from the WHSmith website, is supposed to be passed on to the retailer itself but has instead been sent to its entire mailing list.
WHSmith insisted the issue was caused by “a bug not a data breach” and has apologised to more than 20 customers who have been affected by the problem.
The incident comes just weeks after WHSmith came under fire for its pricing policy in hospital stores and faced claims it was asking customers at its airport stores to show boarding passes at the checkout in order to reclaim VAT savings, without passing the discounts on to its customers.
WHSmith customers took to social media to spread the word about the apparent breach, which involves the retailer’s magazine subscription service.
Customers using the ‘contact us’ form said they started receiving spam emails that included the names, phone numbers and email addresses of other WHSmith shoppers.
Jono Read wrote on Twitter: “Every time someone emails WHSmith about magazine subscriptions it’s going to everyone on the database, details too.”
Other users complained about the issue on the retailer’s Facebook page, with Steph Armitt claiming she had received “65 emails starting at 00.12 this morning.”
Bug not a breach
A spokesman for WHSmith said: “We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach.
“We can confirm that this has impacted 22 customers who left a message on the ‘Contact Us’ page where this bug was identified, that has resulted in some customers receiving e mails this morning that have been misdirected in error.
“I-subscribe have immediately taken down their ‘contact us’ online form which contains the identified bug, while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error.
“We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.”