A major data leak has exposed personal information belonging to over 300,000 users of Francis Frith, the UK’s Victorian-era photography archive known for documenting British heritage through historic imagery.
Founded in 1860, the Salisbury-based company is famous for its extensive photo collection capturing towns and villages across Britain between 1860 and 1970. The firm sells prints, books, and personalized memorabilia featuring its vintage photographs — but a forgotten online database has now put thousands of customers’ privacy at risk.
Exposed Database Revealed Sensitive User Information
The incident came to light when researchers discovered an open Elasticsearch database containing sensitive customer data and private messages. The database, which required no authentication, was accessible to anyone with an internet connection.
Researchers noted that some messages referenced the Francis Frith website, leading to the discovery that the data belonged to customers of Heritage Resource Management Ltd., the company responsible for Francis Frith’s production operations.
The unprotected dataset included full names, email addresses, and in some cases, physical addresses shared through private messages. Nearly 44,000 customer enquiry messages were also among the exposed information, with records dating as far back as 2006.
Types of Data Compromised and Potential Risks
The compromised information includes:
- Full names
- Email addresses
- Physical addresses (in some messages)
While no passwords or financial details were exposed, the leak poses a serious privacy risk.
“Even in the absence of financial data, attackers can easily exploit leaked names and emails to impersonate trusted brands and lure users into phishing traps,” warned researchers.
Rising Phishing Risks for Heritage Photo Buyers
With access to customer details, threat actors could impersonate Francis Frith and send deceptive emails about fake book or photo mug orders. Such phishing messages might redirect victims to malicious websites where they could be tricked into entering credentials or payment details.
Some sites may even distribute keystroke-tracking malware disguised as legitimate downloads, allowing attackers to capture personal or financial data once installed on a victim’s device.
Company Response and Timeline of Disclosure
Security experts reported the issue to both Francis Frith and the UK’s Community Emergency Response Team (CERT). Although the exposed instance was eventually secured, the company has not issued a public statement.
The timeline of events is as follows:
- Leak discovered: September 8, 2025
- Initial disclosure: September 16, 2025
- Leak secured: September 23, 2025
As of publication, Francis Frith has not responded to requests for comment. The exposure underscores the ongoing risks of unsecured cloud databases — even for companies safeguarding pieces of national history.
