Updated: Around 800 Marks & Spencer customers had their personal details exposed online due to a technical glitch
British retailer Marks & Spencer temporarily suspended its website on Tuesday night, after some customers complained they could see each others’ details when they logged into their own accounts.
Posting on the company’s Facebook page, customers expressed alarm that they could see other people’s orders and payment details when registering for the new members club and card scheme called “Sparks.
“Interesting, I just created an M&S account to register my new Sparks card and out of a sudden I’m logged in to someone else’s account!” wrote Konstantinos Vlassis.
“M&S this is in breach of privacy and data security. I can see personal addresses, past orders and info of another account holder and I assume they can see mine? I can message you screen grabs if you want but this is not good security!”
Fellow customer Vanessa Frost wrote: “There seems to have been a data breach on your M&S website – if I log into my account on there it brings up another person’s details – this is happening to loads of people.”
M&S said that the glitch was the result of an internal error rather than a third-party attack on the site, and said no financial data had been extracted. However, personal data, including names, dates of birth, contacts and previous orders were exposed.
The website was taken offline at about 6.30pm and was back on by 9pm.
“We can confirm that around 800 people were affected by a technical issue that led to us temporarily suspending our website yesterday evening,” a spokesperson for Marks & Spencer said.
“We are now writing to every customer affected to apologise and to assure them that their financial details are safe.”
Commenting on the incident, Phil Barnett, VP Global at Good Technology, said that many companies are flying blind when it comes to security, because they don’t think it affects them.
“Marks and Spencer’s proves that customer data breaches are real threats and have serious consequences. Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority,” he said.
“When GDPR is implemented in 2016, companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it’s not just going to be some painful interviews and a drop in share price, there’s the potential of big fines for every business.”
Last week British telecoms firm TalkTalk suffered a major cyber attack, which potentially compromised the data of more than four million customers. A 15-year-old schoolboy has been arrested in connection with the incident.