Almost 1,500 software developers registered to use the UK taxman's sandbox or API platform have had their email addresses blabbed in a mass mailing.
The snafu happened on Friday afternoon, when an email about the HMRC Developer Hub was accidentally sent with users' addresses visible in the CC field.
The email, with the subject line "API Platform update", was sent by the software developer support team at 1604 GMT.
"Please note the HMRC Developer Hub will remain shuttered over the weekend to allow us to continue testing the service. The Developer Sandbox for testing remains available. The API Platform is working as expected," the seemingly innocent email stated.
However, about an hour later, someone must have pointed out the mistake, and the team issued a recall for the message, which meant the same group received another email with all 1,455 or so email addresses cc'd in.
At 1809, a third email – this time blind-copying in the list – was sent to apologise for the breach.
"HMRC's policy is always to protect customer data, and we take this responsibility very seriously," the email said.
"Unfortunately, in a recent email, a mistake was made and your email address may have been shared with other recipients.
"I wish to apologise for this error and for any distress this may have caused."
As the Reg reader who alerted us to the cock-up observed, this kind of error is easily made, especially when the time is ticking away to beer o'clock.
An HMRC spokesperson said: "HMRC takes the protection of customer data extremely seriously and has a strong security culture.
"We can confirm that this matter was immediately reported through our internal incident reporting process and will be fully reviewed. We have contacted the software developers affected to alert them and to apologise." ®