The website of UK high street retailer Marks & Spencer is back online today after a ‘technical issue’ apparently allowed customers to see others’ details when logged into their accounts.
Customers took to the big name brand’s Facebook page on Tuesday evening to express their anger, claiming that they could see personal information including name, address, telephone number, data of birth and order history.
Adrian Robinson’s comment was typical:
“I tried to register and got someone else's account, with personal data on, date of birth, full address etc! Don't think I want it now, seems a serious breach of personal data!”
Another, Konstantinos Vlassis, had the following:
“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I'm logged in to someone else's account! M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”
Some angry M&S customers also claimed they could see others’ card details. However a spokesperson told ITV News that only the last four digits were exposed “for a brief moment.”
They told the channel:
"Due to a technical issue we temporarily suspended our website earlier this evening. This allowed us to thoroughly investigate and resolve the issue and quickly restore service for our customers. We apologise to customers for any inconvenience caused."
It’s unclear how long the website was offline but it appears to be back up and running as normal now.
The incident calls to mind a similar problem which happened to UK high street chain WHSmith last month.
The stationer admitted that a bug in the IT systems supporting its magazine subscription service led to phone numbers, email addresses and the names of subscribers being sent to other subscribers.
Phil Barnett, vice president of global at Good Technology, argued that the exposure of customer data could have serious consequences.
“When the [European General Data Protection Regulation] is implemented in 2016, companies experiencing a data breach could face a fine of 2% of worldwide revenue, so it's not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business," he added.