When you fill in a form on a website, you expect that information to go straight to the company who owns the site (and the NSA), not its entire mailing list of customers. But that’s exactly what happened recently with WHSmith’s site, which had a misconfigured “contact us” form on its main site, that sent all provided data right through to everyone who’s ever bought something from the company.
“We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug not a data breach,” WHSmith clarified in a chat with the Guardian. “We believe that this has impacted fewer than 40 customers who left a message on the ‘Contact Us’ page where this bug was identified, that has resulted in some customers receiving e mails this morning that have been misdirected in error.”
While the retailer eventually took the problematic form down, before that happened the problem was only compounded when people began using the WHSmith site to try and inform the company of the problem, only for that information to then be sent on to everyone, including personal details like usernames, email addresses, full names and in some cases even telephone numbers.
While some people were quick to point out the mistake to the company, others took it in their stride and enjoyed the easy access to such a large audience.
With the form now removed, WHSmith believes ‘only’ around 40 people were affected, but has not responded further to requests about the breach.
KitGuru Says: Bit of a gaff, but good to see that WHSmith responded swiftly to the problem.