DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

BBC America Shop customer orders leaked

Posted on November 21, 2011 by Dissent

Over the weekend, I received an e-mail from a BBC America Shop customer revealing that the bbcamericashop.com site was leaking customers’ order information – names, billing and shipping addresses, phone numbers, item number ordered, and e-mail addresses.  The exposed orders had been placed between June 10 of this year and that day. No credit card information was exposed and the records did not appear to have been cached in Google.

The customer tells DataBreaches.net that he became aware of a breach after he started receiving unwanted e-mail and searched Google for his name, which took him to a link to his order.  By simple url manipulation, he could see other customers’ data, too.  He started e-mailing other customers to alert them that their information was exposed and also contacted this site.

DataBreaches.net contacted BBC America Shop’s call center by phone to alert them to the exposure. Two hours later, the subdomain where the database had been available was no longer accessible.

Shortly thereafter, I received an e-mail from Interactive Partners, the firm that develops and maintains BBC America Shop’s web site, thanking me for the heads up.   I’m hoping that they will provide some additional details as to how the breach occurred and when it occurred, but they were still investigating the incident when I last heard from them Saturday night. It is not known to me at this time whether they or BBC America Shop intends to e-mail all affected customers.

I’ve occasionally blogged about how frustrating it can be to try to alert an entity to a breach.  This wasn’t one of those cases. In this case, when I went through the 800 customer service number and explained the situation, the call center representative transferred my call to someone who appreciated the need to relay the information promptly after I walked her through how to see all the customer data in her browser.

Never one to miss an opportunity, however, I will use this entry as a chance to remind you:  if your business (or your client) uses a call center for customer service – or even if you handle calls internally – make sure that everyone understands what to do if someone calls in to report a data or security leak.  It can save you (and the caller!) a lot of time and potential grief.

And if you have a breach to report, you can e-mail this site at breaches[at]databreaches.net.  I can’t promise I’ll be able to help, but I usually try.

 

No related posts.

Category: Breach IncidentsBreach TypesExposureSubcontractor

Post navigation

← AU: ADP exposes client emails
Dump of accounts from sfbaysss.net →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.