Data leak hits UK's Victorian-era photo archive, exposing photo-mug buyers
A forgotten database left wide open on the internet has exposed over 300,000 records of Francis Frith users, the UK’s historic photography archive.
Founded in 1860, Francis Frith is a company based in Salisbury. It is renowned for its vast collection of old-school photographs, documenting towns and villages across Great Britain between 1860 and 1970. The company sells prints, books, and personalized photo products with photos from its historic archive.
The data leak first came to light after Cybernews researchers identified an Elasticsearch instance leaking user information and private messages. The database lacked authentication and was accessible to anyone on the internet.
Some of the leaked messages referenced British heritage site francisfrith.com, providing the first indication of the source. Further analysis confirmed the data belonged to customers of Heritage Resource Management Ltd., the company that manages Francis Frith’s product manufacturing operations.
Cybernews researchers found that the unsecured database contained user data, including full names, email addresses, and, in some cases, physical addresses that were revealed in private messages. Within the dataset were nearly 44,000 customer enquiry messages.
The exposed records included both new and legacy accounts, with some data dating back nearly two decades to 2006.
What data has been leaked?
- Full names
- Email addresses
- Physical addresses for some users (in some customer messages)
Users are at risk of phishing campaigns
While the exposed information does not include financial or password data, the leak still poses a significant privacy risk. The danger is even greater for customers who include home addresses or other identifiable details in their messages.
Cybernews researchers warn that attackers could use the leaked data to impersonate the Francis Frith brand.
For example, they could exploit publicly accessible customer names and emails to craft targeted phishing or spam campaigns. In such a scenario, affected users could have received bogus emails about their photo mug or book order.
Phishing emails may lead to malicious websites, where more sensitive information, including credentials or credit card details, can be stolen if users enter it. Keystroke tracking malware can also be disguised as a legitimate download on these websites. If users unintentionally install it on their devices, malware may assist attackers in wiping out victims’ financial accounts.
Cybernews reached out to the company and the UK’s Community Emergency Response Team (CERT). The instance was secured, but the company provided no comment. Our journalists also contacted the company prior to the publication of this article, but at the time of writing, no response had been received.
Disclosure timeline
Leak discovered: September 8th, 2025
Initial disclosure: September 16th, 2025
Leak closed: September 23rd, 2025
Unlock more exclusive Cybernews content on YouTube.
