Royal Mail customers see each other's order info in recent breach

Royal Mail data breach lets customers see information on other users' orders

Image:
Royal Mail data breach lets customers see information on other users' orders

Royal Mail closed its Click & Drop platform in the wake of the issue

Royal Mail temporarily shut down its Click and Drop website this week, after complaints that some users were able to see details of other users' orders.

Customers can use the Click & Drop platform to print shipping labels, pay for postage online, and track their packages while they are in transit.

Royal Mail learned about the breach on Tuesday. The error manifested at around 13:00 GMT, and Royal Mail shut the website down about an hour later, according to an alert posted on Click and Drop's status page.

In a statement published just before 14:00, Royal Mail said, 'We have been made aware there was an issue affecting Click & Drop that meant some customers could see other customers' orders.'

'As a protective measure, we have stopped access to Click & Drop temporarily. We fully understand and apologise for the inconvenience caused by this. Our engineers are working as hard as possible to get the site back up and running as expected.'

The organisation marked the problem as 'resolved' around four hours later, at 18:01 GMT, and the website began functioning normally shortly afterwards.

There were no incidents reported the next day, according to Click & Drop's status page. However, some customers took to Twitter to complain that the website was still not functioning properly, and that they have been charged twice but did not receive a postage label.

Royal Mail will almost certainly have to report the incident to the Information Commissioner's Office (ICO), which serves as the UK's personal data protection watchdog.

The company had not provided an update to the ICO on Tuesday, the regulator told Sky News.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms," a spokesperson for the ICO said.

"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary. All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us."

Royal Mail narrowly avoided the data breach coinciding with strike action. The company was able to negotiate with the Communications Workers Union (CWU) to call off its scheduled walkouts on the 2nd, 3rd, 4th, 8th, 9th and 10th November.

IDS, Royal Mail's parent firm, said last month that 5,000 to 6,000 roles will be eliminated by August next year.

It blamed the decision on declining package volumes, delays in efficiency improvements and industrial action.