Zimbabwe’s largest e-commerce company, HnT, accidentally exposes user database

Hammer n Tongues, arguably Zimbabwe’s largest e-Commerce company, yesterday morning accidentally sent out private contact details of  over 5,000 customers in an email to their customer base. The details included name, email address, phone number and the city of the customers. The details also included a customer buyer ID that the company uses on their ecommerce platform.

The information, which was in an excel spreadsheet, was clearly meant for internal use only. According to the email, the customers in spreadsheet were inactive users, which just means users that haven’t bought anything in a long time, or have never done so.

Later the same day, the company sent out an email to recall the previous email. Here:


Dear users

Please be advised that an email was sent with the subject line ‘Hammer and Tongues Shopping Mall Copy of HTSM USers updated to inactive users.xls’

This email was for internal purposes only and not meant for public consumption.

We would like to recall that message and ask the public not to use, reproduce any part of the message and attached database as it is the sole property of Hammer and Tongues Africa Holdings.

This will likely unsettle a lot of their customers as it creates a perception that HnT’s private information handling procedures are lax. A lot of people would likely feel uncomfortable at the possibility of their ecommerce activities shared with the world.

We requested further comment from the company but they hadn’t responded with one by the time we published the article. Guys that harvest email addresses to spam people with local promos and other such are probably gleefully adding these email addresses to their databases as we speak.

We wrote about HnT’s ecommerce effort here a couple of weeks ago. They company is making a huge bet on eCommerce in the country. Bigger than any startup has made so far. Going by this number alone, it shows they have gained some modest traffic since launch in July last year. What’s harder to see is the complete picture that this inactive users number contributes to. The last time we asked HnT for their customer base numbers, they wouldn’t give them, which is usually a sign there’s not much to celebrate just yet. The inactive users could be a significant portion of their customers or just a small fraction, who knows!

26 thoughts on “Zimbabwe’s largest e-commerce company, HnT, accidentally exposes user database

  1. This issue is being blown out of proportion especially where you say “Guys that harvest email addresses” cause essentially only clients received that email. Also that information is not as private as one would suggest. Anyone with access to a browser and clicks on a phishing advert becomes liable to spam of “local promotions”.

    Private information could be your banking details or National ID number or even your address. Meager things like email and personal cellphone number can not be treated this way cause we use them in open public communication.

    I am not condoning HnT for leaking this information, but making sound that their “lax” is an exorbitant use of words. I thought TechZim was about reporting real tech news not tabloid jingles i.e. H-Metro. Learn your cyber law and know both legal and ethical issues in IT before making posts like this.

    1. malware on infected customers machines can still read that data and send it off to said mail harvesters

      also mail harvesters often sign up to these kinds of services to see what they can scrape etc

      it should be noted this isn’t a failing of there platform but a human error so we shouldn’t worry too much about the website side but rather those controlling it

      Private information is any information i don’t want the general public to have – this might include my email address, phone number and city if i so decide i do not want to share that information publically

      email and phone numbers are generally considered private information these days across the board (regardless of if you post it on public message boards on other sites etc

    2. Malware – “is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software.”

      after quoting the above a customer can clearly have an abundance of his/her own clients friends and family who have contacts in his machine, does this mean I should be angry with my sister if my bank detail where changed because some malware wormed its way on to her computer? HnT then stand in the same position despite that the information that was sent can barely do harm though it was not meant to be shared.

      I am very awake, got my BSc (Hons) Computer Science on my wall to prove it, and yes I have watched “Focus”, all it proves that even with what happened we are not ready to deal with such characters, you should see the security that half of the so called security companies have in Zim, it is just sad.

      Though we dont have concrete laws yet here try reading the “Federal Information Security Management Act of 2002” from a well developed country (USA) which simply put, if HnT had supplied your ID number, Social Security and Banking Details to the public they can and will be prosecuted, with the latter being sued. Things like cell number and your name which half you probably already do on Facebook public don’t amount to squat.

      Like I said, what happened was ethically and morally wrong, not legally but also people must use this as a wake up call, we ain’t in the stone age every single one of us must protect their information.

    3. Vajohn you must be in the team that leaked the information, you are trying to save your neck …. ahh…. actually you really don’t understand what privacy is.

        1. Nhai vaJohn are you mad? So what information do you think constitutes a breach of privacy kana ikaReleaswa? Go and read the HT privacy statements, that leak was very bad, and heads MUST roll at HT,

  2. This time it was only name, mobile number and city users lived in but other details like ID number and physical address are stored and could have just as easily been in the spreadsheet.

      1. Using your name I can look up more personal information and determine if you are are a valuable target. After that I can pass on the basic data to a professional crime syndicate who give me a cut for the initial ground work. These things happen, just not in Zimbabwe.

  3. I think the Hnt issue is being blown out of proportion.How many corporates have made fundamental mistakes that have cost a huge chunk to them and to stakeholders?I don’t think it was intentional at all but they now have to ensure stringent measures to circumvent such errors. I understand the feeling if your details are out there to spammers but there is an option to unsubscribe or report such spam e-mails .Zvinowanikwa izvi.

    1. I don’t think it was intentional at all

      exactly what it says in the article. So what do you mean being blown out of proportion?shouldn’t have been covered at all?
      over 5,000 emails and phone numbers shared and when that’s covered it’s a bad thing?

    2. Zvinowanikwa izvi?

      I hope you’re not amongst your fellow #$&@ who were entrusted with this data and were careless with it. Because you should be relieved of your services and held accountable, buddy!

      If you’re not and you have custody to a similar form of data, then people better not know who you are.

      The level of ignorance is epic!

  4. while mistakes do happen…. it does show how badly data is stored and treated internally in their company. every IT company that deals with user information has an obligation to protect that data from leaks. this was not a hack, this was just user negligence and thats not acceptable…heads should roll for this

    1. Zita, foni, ne email hazvina kana basa izvo! Dai vabuditsa database remitupo taitozotya anonymus who I suspect uses black magic

  5. But lets look at this –

    You are storing client Information in an .xls file – COME-ON – why not put it in a database and give access via a logical system

  6. To change a MasterCard/Visa password all I need is your name. using your name and investigation I can obtain your DOB, ID, address which are the only things the baby asks for.

    Given that these people are on the HnT database, definitely some of them have current accounts that can be run into overdraft, and among those there are a few who don’t. know much about security. I’ve come across a second hand kindle and few iphones that were sold without logging out of their accounts. Racking up a bill on Amazon store is just the least of what a pro could do with that.

    Luckily no one local has the mind for it yet as is obviously visible.

  7. That was bad but it happens. Hope no one tries the mafia thing I saw on a post above kkkk. Also remember that info sys in zim is not so intergrated. Having someone’s phone number and address might not yield much for mafia style tracking requires connected systems that can be accessed anywhere. Now hope pane vane info yakadishwa out hapana anebundu otherwise as per post above mafia riri ku feature manje manje

    1. don’t need a major info sys, just your address. watch the movie “focus” staring Will Smith. One day u better be ready.

  8. Lol. OK I admit I made a bit of hyperboli. But this is there internet! VaJohn is right but it’s not about definitions and labels. It’s about protecting ourselves from harm. Could the leaked HnT info be used to steal? Highly unlikely but yes.

    My sister was once approached by a conman who claimed to be a relative. He was so convincing describing intimate family details – kumusha, mutupo, zvese. However she was thrown of by something uncanny about him and dismissed the guy. No one ever saw or heard of him again. Now imagine when those guys learn to use computers. They’re already reeking havoc with mobile money scams.

    The most I’ve done is hack into someone’s ADSL by looking up IP addresses close to me. It was purely for the academic challenge. But after that exercise I started wondering if there are more motivated people out there willing to do worse.

    That’s my finally word.

    P.S. I hardly follow my own advice. My router is user, password are still ‘admin’ ‘admin’

Comments are closed.