British retailer WHSmith has suffered a data breach that has resulted in users’ personally identifiable information (PII) being sent out to hundreds of customers’ inboxes.
According to The Guardian, personal information including names, phone numbers, and email addresses that users typed into the retailer’s contact form was not sent to the company but was instead delivered to its entire mailing list.
Some customers allegedly contacted WHSmith using the form in an attempt to notify it about the inbox spamming. However, their efforts led to only more emails being sent out.
Given the difficulty of reaching the company via email, many users instead took to Twitter and Facebook, with some complaining that they had received upwards of 50 emails.
One Louise Maxwell wrote on Facebook: “What on earth is going on with the magazine subscription online service? I am receiving emails that have been directed to the ‘Contact US’ page to my personal email from angry customers reporting the same thing….!! #WHSMITH Sort it out.”
WIRED has reported that another customer complained on Facebook of having received 40 emails and that they are continuing to flood her email as of this morning.
In response to the data breach, WHSmith has issued the following statement:
“We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach,” the retailer said. “We believe that this has impacted fewer than 40 customers who left a message on the ‘contact us’ page where this bug was identified, that has resulted in some customers receiving emails that have been misdirected in error.”
WHSmith also is said to have temporarily hidden the contact form from its website but not removed it.
To learn more about how data breaches like this incident at WHSmith have evolved over the last year, please read our analysis of the 2015 Verizon Data Breach Investigations Report here.