A technical SNAFU shut down the UK’s Royal Mail Click and Drop website on Tuesday after a security “issue” allowed some customers to see others’ order information.
The data leak started around 13:00 GMT, and according to an alert posted on Click and Drop’s status page, Royal Mail shut down the website about an hour later.
In an update posted shortly before 14:00 GMT, the postal service noted:
In subsequent alerts, Royal Mail assured customers that its engineers continued to work on a fix, and hoped to have the site back online “as soon as possible.” The service, which allows customers to print labels and pay for postage online, and then track packages until they reach their destination, vowed that it was “treating this as the highest priority.”
Later, Royal Mail suggested users resort to actual paper “emergency” order forms instead of the online versions. Who even owns a printer these days? Emergency, indeed.
About four hours later, at 18:01 GMT, the postal service marked the issue as “resolved,” and the website was up and running. “We apologise for any inconvenience this has caused our customers,” Royal Mail said. “The root cause is now under investigation.”
On Wednesday, the online service noted “no incidents reported today.” However, some customers took to Twitter to say the site still wasn’t working, and they had been charged twice but not received any postage label.
Royal Mail did not immediately respond to The Register‘s questions about how many customers’ data was exposed, or whether the incident was due to a mistake or something more malicious.
As of Tuesday, Royal Mail had not notified the UK’s Information Commissioner’s Office (ICO), according to Sky News. The postal service has 72 hours after becoming aware of a data breach to notify the consumer privacy watchdog agency, unless the leak doesn’t “pose a risk to people’s rights and freedoms” an ICO spokesperson told the media outlet.
The ICO didn’t immediately respond to The Register‘s inquiry. ®