East London council blurts thousands of residents' email addresses in To field blunder
'Was a Mailchimp sub too hard?!' asks Reg reader
A local authority in East London has committed a classic privacy blunder by emailing what appear to be thousands of residents – while forgetting to use the BCC field and exposing all of the email addresseses to each recipient.
The cockup, which happened on Monday, had locals in the borough of Tower Hamlets receive emails with hundreds of addresses visible.
Register reader Patrick, who was the unlucky recipient of one such message, told us: "The email I received had 400 recipients in the To: field, I assume because Outlook has a limit of 500... Just assuming that I received all the Bs and Cs (and I probably only received a chunk) – then that's ~5,000 email addresses they leaked."
The hapless council followed up with a (correctly BCC'd) email apologising to residents, which stated: "I would like to sincerely apologise on behalf of the Council for the administrative error made in sending this email identifying recipients' individual email addresses. I would like to reassure you that this matter has been reported internally and measures have been taken to avoid such an occurrence in the future."
We have asked the council if it wishes to comment and will update this article if it responds.
"Was a Mailchimp subscription too hard?!" asked Patrick, rhetorically.
Email privacy blunders are as old as the technology itself. In this day and age of heightened data protection and phishing awareness, such things are taken a bit more seriously than they used to be.
With that said, only a statue could have failed to laugh at a similar blunder from 2019, when a car parts business emailed a bunch of dealers asking them for permission to use their data. Naturally, they did this through the medium of the CC field, turning it into a farce.
Similarly, BT Security managed to email 150 infosec bods who handed over their email addresses at a jobs fair, neatly revealing who each of the potential jobhunters was up against.
Such screwups can have more serious consequences; an NHS reply-all email chain in 2017 crashed the UK health service's Accenture-run email systems after generating half a billion messages, while in 2016 Chelsea and Westminster NHS Trust was fined £180,000 for repeatedly revealing the email addresses of people using one of its sexual health clinic. ®