Hundreds of UK video game fans became unwitting recipients of each others’ email addresses this week following a messaging cock-up at online retailer GAME.co.uk.
El Reg learned of the snafu through reader David, who seems to have been something of a patient zero in the minor privacy flap. Human error meant that “To:” field rather than the “bcc:” was used in outgoing email marketing messages by GAME.co.uk.
David told us:
I received an email today from GAME regarding a recent order, in the to field was the email address of 25 other customers.
I email their customer services team to complain.
A few hours later, they emailed another message, this time with almost 1,000 customer address in the to field.
Another hour later, they emailed a further message with another 1,000 customer address in the to field.
The offending messages were sent on Monday morning from the GAME Customer Service email address. One came with the subject line “Important Information on your Pre Order from GAME.co.uk!
In response to queries from El Reg about the messaging fail, GAME confirmed and apologised for the incident, which it blamed on human error.
“A small number of customers received an email from us, on which other recipients’ email addresses were visible,” it said. “We want to assure all customers that their privacy is very important to us and in this instance, it came down to human error.”
“We would like to extend an apology to those affected. If any customers would like to speak to somebody about this, they’re encouraged to contact our customer service team.”
Staff hitting the wrong button or not knowing the purpose of bcc in emails is an all-too-common problem. Exam board OCR, housing staff at Sheffield Council and Symantec-owned Veritas have all messed up in this area over recent months.
Although mildly irksome it’s no big deal – except where the recipients or email are in themselves confidential or sensitive.
A bcc mix-up where an HIV support group inadvertently revealed patients' identities to others in the same boat via an email blunder is, of course, far more serious and something that rightly led to censure by data privacy watchdogs. ®