Personal data including the signatures of recipients has been exposed to those tracking deliveries on the Parcelforce website.
A failure in the system allowed people using the mail tracing service access to the name, postcode and signature of various addressees.
The breakdown put Parcelforce at risk of breaching data protection rules.
The delivery service, part of the Royal Mail Group, apologised. It said the problem had been resolved.
However, when the BBC News website entered reference numbers into the “track and trace” feature on the Parcelforce website, a series of unconnected deliveries was revealed.
Although the same reference number was typed in, the specifics of parcels with other reference details were displayed.
Within the space of 30 minutes, the system handed out details of parcels in Cleveland, Swansea and even awaiting customs clearance en route from Shanghai.
These included some parcels that had already been delivered. On the page declaring “proof of delivery”, the name and postcode at its destination were shown, alongside a reproduction of the signature of the recipient.
Such information would give an identity fraudster easy access to people’s names, addresses and signatures.
Businesses have a responsibility to keep personal and sensitive information secure.
A spokesman for Parcelforce Worldwide apologised to customers who had been affected.
He said the problem emerged after work to the computer system late on Wednesday night and early on Thursday morning. Attempts were being made to fix it, with the online and telephone system halted until this had been done.
Parcelforce Worldwide advertises itself as able to deliver to 99.6% of the world’s population. It aims to be “the UK’s most trusted worldwide express carrier”.