The source of the breach seems to be a poorly constructed contact form on the retailer’s website.
When a customer fills out the form, instead of sending the message to the company itself, the information was sent to its entire mailing list.
When the glitch was discovered, several customers turned to the contact form to complain and alert WH Smith to the issue - causing a vicious circle of more and more messages being sent out en masse.
Some of the emails contained personal information including customers’ full names, addresses, email and phone numbers, which were all sent out to hundreds of people.
@WHSmith I've been receiving emails all night with other people's confidential information. I hope you haven't mishandled my personal info— Jake ML (@jakemadg) September 2, 2015
A WH Smith spokesperson confirmed to City A.M. that the issue stemmed from a "processing bug" rather than a data breach or hack, and that 22 customers were identified as "impacted" by the glitch:
We can confirm that this issue has not impacted or compromised any customer passwords or payment details and we apologise to the customers concerned.