HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Marks & Spencer #fail (a data security story)

Marks & Spencer #fail (a data security story) I was minding by own business the other day when I started getting order e-mails from Marks & Spencer (an upper market clothing and food company in the UK).

It wasn't for anything I ordered, I hardly even shop there. My first thought was it was some kind of phishing attack. But on investigation the e-mails were legitimate and someone else must have used my e-mail address to order.

This p*ssed me off a bit, as competent web developers know you don't just accept e-mail addresses into eCommerce systems, you verify them first.
There's 2 important reasons for that:
  1. You don't want a third party to be spammed due to a typo
  2. You don't want someone else's data to be accessed by a third party

On point '2' it may be as mild as leaking of order information, but a skilled fraudster could sometimes elevate it all the way up to a mild form of identity theft.

Being a responsible kind of person, I immediately went to let M&S know of the problem. So I went to their website, and chose the option to contact them for website problems. Crash, I got an error page.

So, I headed to Twitter to complain to them.

They responded, asking me to DM them screenshots of stuff on Twitter.

I wasn't going to mess around sending individual DMs for each screenshot, so I asked for an e-mail contact and got it about a day later.

I then e-mailed, and got a reply, again about a day later.

The reply shocked me:
Good evening Chris

I'm really sorry to hear you're receiving emails about another M&S account that doesn't belong to you. I appreciate this is frustrating as you're not making the orders and the account is for another customer.

I've looked into this and I can see the customers account is a mastered account and was created by the customer herself. There's no breach of security as the customer doesn't have access to any of your personal information, nor do you have any of hers.

Unfortunately, I'm unable to make any changes to the customers account unless they get in contact with us themselves due to data protection laws.

I'm really sorry I can't be much more help with this matter but I hope you have a lovely evening.

Kind regards

(Name removed)
Retail Customer Services
Your M&S Customer Service

What a load of BS.

I knew at this point I had the customers first name, the store they used (likely close to their home), and order information, as it had all appeared directly in the e-mails. This in itself is personal information, so I'd say they were in breach for allowing me access to only this. As a computer professional I also knew I likely had full access to their account, as password resets can be done if you have access to an account's e-mail address.

I also knew they were in violation of EU anti-spam regulations.

And, they had not bothered to respond regarding their broken contact form on their website. Likely there are all kinds of problems people are facing, but are not going to them. Few are likely to jump on Twitter like I did.

So, very tetchy at this point I decided to do a password reset so I could access the account, as they were refusing to help me. Through the account I would be able to disconnect it from my e-mail address to wash my hands of this mess.

Once logged in, I could see the last few digits of the customer's credit card, their home address, their phone number, their full name, their marital status, and their order history.

Quite a major breach of personal information, no?

Of course I am not going to abuse this information. I do however feel the professional need to give M&S some severe professional shaming at this point. They are likely in breach of multiple laws, and have let down a customer. When told about a severe problem they made an excuse and moved on.

I hope they clean all this up soon. Right now as a IT professional I would recommend nobody touch their online systems, who knows what other things they may be getting wrong.

View all


There have been no trackbacks yet