Is this the biggest digital blunder ever?

Music retail giant Tower Records has exposed the personal data of millions of US and UK shoppers at its online store - including email addresses, phone numbers and past purchases.

A glitch on the company's website allowed anyone to view its database of customer orders dating back to 1996, including home addresses, email addresses, phone numbers and what music or video products were purchased. More than three million such records were exposed.

A Tower Records representative said: "It was a technical error, and when we discovered it we were fairly horrified and we fixed it in a matter of hours."

The company said no credit card numbers appear to have been revealed, but the news will do little more the reputation of ecommerce, which has persistently been dogged by security fears.

One Tower Records customer contacted said: "I'm shocked and disappointed. I will no longer do online business with Tower Records."

The security leak arose out of a programming error in a script called "orderStatus.asp." When customers requested information on their order via the Tower Records site, the script called up the record, displaying the order number as part of the URL of the resulting page.

But the script allowed customers to type a different order number into the URL and call up a different record. In the change made Wednesday, Tower Records now requires customers to log in with their email address and password before they can view information about their order.

The blunder is made all the more embarrassing by the company's privacy policy, which says: "Your TowerRecords.com Account information is password-protected. You and only you have access to this information. TowerRecords.com takes steps to ensure that your information is treated securely."

Declan McCullagh writes for News.com