WHSmith contact form spams out personal customer data

Envelope. Image courtesy of Shutterstock.

Envelope. Image courtesy of Shutterstock.

Users of UK newsagent chain WHSmith’s online services have reported large amounts of email arriving in their inboxes, containing personal contact data on other users.

The leak appears to be related to an online “Contact Us” form, with numerous users claiming that attempting to report the issue via the form led to further barrages of info-laden email.

The incident brought a stream of irate users to social media, with complaints piling up on Facebook and Twitter overnight.

The story quickly reached major media outlets, and eventually WHSmith started responding to journalists’ queries, reporting that the incident was down to a third-party service provider managing its magazine subscriptions.

The rogue form was removed from the company’s web properties, and WHSmith claims that fewer than 40 users were affected, describing what happened as a “bug” rather than a “breach” with no financial data involved.

However you want to classify it, any leak of personal information is an unwanted irritant at best – even the most basic data such as names and related email addresses can prove useful fodder for phishers and scammers.

With epic hacks and leaks at big companies like Sony, Target and Adobe affecting millions of users and seeming to hit the headlines with increasing frequency, it’s easy to ignore the smaller and less detailed spills of data dribbling out daily.

The UK’s privacy watchdog, the Information Commissioner’s Office, recently released a commentary on the European Union’s latest moves towards a unified set of data breach notification rules, expressing concerns that regulators could be overwhelmed with “trivial or inconsequential data breaches”.

The commentary welcomes the inclusion of the term “high risk” to limit the sorts of leaks which have to be reported to affected individuals and to regulators, but as always the devil is in the details.

Figuring out just how high a risk of identity theft a given leak may lead to is hardly an exact science, and despite the inclusion of the term, the regulators fear many breached firms will be contacting them for consultation, whatever level of data sensitivity seems to be involved.

Overloaded or not, there’s a pretty good chance the ICO will be hearing from WHSmith over this latest incident.

The contact form snafu should remind anyone operating web services with access to user data, such as mailing lists, that extreme care and caution should be applied at all times when configuring such tools.

It’s also vital that third-party providers are properly vetted and monitored, as any blunder on their part will impact your reputation just as badly as a mistake you’ve made yourself.

Beyond the effect incidents like this have on the reputations of the specific organisations involved, there is inevitably a bigger and more insidious psychological impact to any data breach.

Black-hat hackers specifically targeting firms like Ashley Madison may make more dramatic headlines, but the steady attrition of small blunders and mix-ups is doing equally serious damage to our trust in the security and privacy of our internet.

Image of envelope courtesy of Shutterstock.