Page last updated at 11:26 GMT, Friday, 19 June 2009 12:26 UK

Personal data exposed on website

By Kevin Peachey and Bill Wilson
Personal finance and business reporters, BBC News

Parcelforce website
Parcelforce allows customers to track the progress of their delivery

Personal data including the signatures of recipients has been exposed to those tracking deliveries on the Parcelforce website, the BBC has discovered.

A failure in the system allowed people using the mail tracing service access to the name, postcode and signature of various addressees.

The breakdown put Parcelforce at risk of breaching data protection rules.

The delivery service, part of the Royal Mail Group, apologised. It said the problem had been resolved.

Fail track

Customers sending a package with Parcelforce Worldwide are given a reference number which allows them to track the progress of the delivery.

The more you think about it, the more you wonder what is going on
Parcel recipient Linda Mitchell

However, when the BBC News website entered reference numbers into the "track and trace" feature on the Parcelforce website, a series of unconnected deliveries was revealed.

Although the same reference number was typed in, the specifics of parcels with other reference details were displayed.

Within the space of 30 minutes, the system handed out details of parcels in Cleveland, Swansea and even awaiting customs clearance en route from Shanghai.

These included some parcels that had already been delivered. On the page declaring "proof of delivery", the name and postcode at its destination were shown, alongside a reproduction of the signature of the recipient.

Such information would give an identity fraudster easy access to people's names, addresses and signatures.

During the BBC's investigations, we saw the details of Linda Mitchell, of Farnham in Surrey, and the signature of her mother who signed for the parcel.

Mrs Mitchell noticed a problem when she entered the reference number on the website and it said her parcel was in Glasgow, then Coventry.

"The more you think about it, the more you wonder what is going on," she said.

And BBC News website reader Steve Davis, of Twickenham, said he was left confused by the tracking service fault.

"I thought that the bike I had been waiting for all week had been delivered and accepted in Germany," he said.

Data Protection

Businesses have a responsibility to keep personal and sensitive information secure, according to the Information Commissioner's Office (ICO).

Parcelforce website
Parcelforce Worldwide is part of the Royal Mail Group

"Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure," said a spokeswoman for the ICO.

"Failure to protect personal details such as names, addresses and signatures could lead to information falling into the wrong hands and ultimately the loss of customers' trust and confidence.

"We will be contacting Parcelforce to establish how this security breach occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again."

On some occasions, the website suggested the tracking service was "temporarily unavailable".

A spokesman for Parcelforce Worldwide apologised to customers who had been affected.

He said the problem emerged after work to the computer system late on Wednesday night and early on Thursday morning. Attempts were being made to fix it, with the online and telephone system halted until this had been done.

"We can confirm that the fault was rectified and the service restored on Thursday night. We apologise to customers for any inconvenience caused."

Parcelforce Worldwide advertises itself as able to deliver to 99.6% of the world's population. It aims to be "the UK's most trusted worldwide express carrier".

In the nine months to Christmas last year, all four Royal Mail businesses were profitable for the first time in almost 20 years. Royal Mail Letters, the Post Office, Parcelforce Worldwide and European parcels business GLS contributed to an operating profit of £255m.

The government is planning to sell 30% of Royal Mail's parcels and letters service.

Data loss

This is not the first case of potential exposure of sensitive data.

Last month, it was revealed that a laptop computer with details of 109,000 members of six pension schemes had been stolen from offices in Marlow in Buckinghamshire.

The data, which was not encrypted, included names, addresses, dates of birth, employers' details, national insurance numbers, salary details and, in the case of those receiving their pensions, their bank details too.

Last October, a laptop containing personal details of more than 100,000 members of the Network Rail and British Transport Police pension schemes was stolen from the accountancy firm Deloitte.

And in November 2007, HM Revenue and Customs lost two computer discs that held the entire child benefit database, including the personal details of 25 million people, covering 7.25 million families.

If a business regularly fails to safeguard sensitive information, it can be served with an enforcement notice by the Information Commissioner. Any breach of such a notice is a criminal offence.

Print Sponsor

Pension details of 109,000 stolen
28 May 09 |  Business
Wrong benefit payments continue
14 May 09 |  Business
Cybercrime threat rising sharply
31 Jan 09 |  Davos 2009
Mail privatisation 'to go ahead'
11 Jun 09 |  UK Politics

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific