Marks & Spencer website glitch allowed users to view other customers' personal data

Site suspended for two hours Tuesday night, said to be fixed now

Marks & Spencer (M&S) last night had to suspend its retail website after users complained they saw other people's contact details when they logged into their accounts.

The "internal error" affected M&S's Sparks card membership scheme, apparently mixing up customer details between accounts, linking card memberships with the wrong names, often multiple times during the same sessions. Complaints from customers currently fill the brand's Facebook page wall.

"I tried to register and got someone else's account, with personal data on, date of birth, full address etc! Don't think I want it now, seems a serious breach of personal data!" posted one customer.

"I also registered my card tonight to find that I could see at least another 3 customers details. Their name, address, telephone number, date of birth and what they have previously ordered. Not very good M & S. Also emailed them and they said they are looking into it," posted another.

One more angry poster declared that "fuming does not cover it".

"Joined yesterday logged on today to find someone else details on the account with address and phone number for some one else when we ring all they can say is log out log in that's all we can do. NOT GOOD ENOUGH."

This morning, the retailer has begun responding to posts with the following blanket statement:

"We've worked quickly with our technical teams to resolve the difficulties we had last night. Everything is now back up and running and is fully secure for you to shop in confidence. Thanks, Kate."

M&S suspended its website for two hours last night to fix the problem which, as mentioned previously, it declared was due to an "internal error" as opposed to an external hack, which would perhaps be forefront in people's minds after the 15-year-old alleged perpetrator of the recent TalkTalk hack was apprehended yesterday.

The website suspension, M&S has said, "allowed [M&S] to thoroughly investigate and resolve the issue and quickly restore service for [M&S] customers".

"We apologise to customers for any inconvenience caused," M&S added.

M&S has also hastened to add that, while in addition to the leaked details mentioned by customers above, the last four digits of other customers' payment cards may have been visible "for a brief moment", there were no full payment card details visible between accounts at any point.

Phil Barnett, global VP at security firm Good Technology, suggested retailers such as M&S have been "flying blind" when it comes to security as "they don't think it affects them".

"The truth is that it's not just a conversation for banks or governments anymore," he warned.

"90 per cent of companies have actually experienced a hack, and recent examples like Sony and TalkTalk have proved that - anyone and everyone is a potential victim of hacks and data leaks. Marks & Spencer's proves that customer data breaches are real threats and have serious consequences. Data is a company's biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority."

Barnett added that the implementation of the GDPR (General Data Protection Regulation) law in 2016 should cause a shakeup in considerations around security for companies across the board.

"Companies experiencing a data breach could face a fine of two percent of worldwide revenue, so it's not just going to be some painful interviews and a drop in share price - there's the potential of big fines for every business," said Barnett.