Sainsbury's confused about online credit card mix-up

Confusion surrounds the cause of a security breach at Sainsbury's that caused someone else's credit card details to appear in a customer's online shopping account at the weekend.

Customer and silicon.com reader Helen Whelan sent an email alerting Sainsbury's customer service team to the security breach on Sunday evening.

Whelan had gone to the checkout section of the Sainsburystoyou.com shopping site to pay for her goods but when presented with payment options she noticed that someone else's credit card details had been added to the choice of cards she could pay with.

Customers can add and delete credit and debit card details in their account, so card details don't have to be entered each time, making the checkout process much quicker.

It took the Sainsbury's almost two days to get back to Whelan with an explanation by email for the security error. The email said Whelan was able to read another person's account details because of "corruption" on her account and that the technical support team was confident it was a one-off occurrence after extensive testing to try and replicate the problem.

"The fact that we have not been able to repeat the problem means that our Technical Support Team are confident that this will not occur again," the email said. "However, as an additional precaution our Technical Support Team have set up two separate internal systems to hold the data that is stored on each person's account. This means that details from each separate data location cannot possibly be linked together and hence appear on any other account."

Whelan said she was satisfied by that explanation but silicon.com then contacted the Sainsbury's press office and, apparently oblivious to the fact the customer had already been told that it was a one-off technical glitch, the spokeswoman told us it had been caused by "human error" on the part of a customer services representative.

We're still waiting for Sainsbury's to come back to us to clarify that one and also to confirm whether it has contacted the customer whose credit card details appeared in Whelan's account.

Chris McNab, security expert and consultant at Matta, said it looks like a system misconfiguration problem but added it is vital the cause is fully investigated to ensure such data corruption won't occur in the future.

"Sainsbury's say that it is an isolated case of data corruption - the system listing somebody else's card details under her account - which is feasible and shouldn't happen very often at all. The other cause would be poor programming of Sainsbury's online store itself, where an intermittent bug exists that results in other people's credit card details being displayed because the system is querying the backend databases incorrectly."