A father who found a security flaw on a family discounts website says he was blocked on Twitter when he contacted the firm about the problem.
Alex Haines found an apparent method to view the personal data of other users – including email addresses and phone numbers – during the sign-up process for Kids Pass.
Kids Pass offers its 1.4 million members discounts at attractions such as theme parks.
It said the issue had now been fixed.
The UK’s data watchdog has said it is looking into the matter.
“I was down in Devon holidaying for the weekend with my family but because of bad weather we needed something to do so we signed up to Kids Pass,” explained Mr Haines.
While doing so, he noticed that a simple tweak of the web address appeared to recall data belonging to another customer within the validation form.