A flaw in the website of high street chain WHSmith has caused sensitive customer data, including names, addresses and phone numbers, to be emailed to other registered users of the website.
The flaw has been blamed on a form provided by third-party contact subscription service I-subscribe, and thousands of emails were reportedly sent out overnight.
WHSmith has confirmed that an error with the form has resulted in the data of 22 customers being released.
"We have been alerted to a systems processing bug by I-subscribe, who manage our magazine subscriptions. It is a bug, not a data breach," WHSmith told V3 in a statement.
"We can confirm that this has impacted 22 customers who left a message on the ‘Contact Us' page where this bug was identified, that has resulted in some customers receiving emails this morning that have been misdirected in error."
It is not yet known exactly how many emails were sent. WHSmith said that the third-party contact page has now been disabled to prevent further exposure of customer details.
"I-subscribe have immediately taken down their ‘Contact Us' online form which contains the identified bug while this is resolved. I-subscribe are contacting the customers concerned to apologise for this administrative processing error," said a WHSmith spokesperson.
"We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned."
Customers were first alerted to the incident after receiving emails containing suspicious user data, and many took to social media to complain about the problem.
@WHSmith I've woken up to about 10 emails from whsmiths magazines that are like other customers contact forms? Please could you investigate— Charlotte (@chrlttnylr) September 2, 2015
I've got 57 emails so far from @WHSmith all emails from customers to their contact form... containing phone numbers and email addresses.— Bethany Eve Baker (@vintageideas) September 2, 2015
A spokesperson for the Information Commissioner's Office said: "We are aware of an incident regarding WHSmith and are making enquiries."
Russian Taiga smartphone promises snoop-proof communications - coming soon to employees of Russian state-owned firms
Eugene Kaspersky's ex outs smartphone that claims to prevent apps from spying on users
Deloitte accused of leaving its internal Active Directory server exposed to the internet with RDP open
Deloitte accused of lax systems administration and security practices over email hack
Lax systems administration practices blamed for exposing millions of sensitive client emails
The new processors support Intel's Optane memory acceleration technology