NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to 'Let's talk cyber' event
It's like rai-iiiiiin on your wedding day
NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages.
The first email sent yesterday morning thanked participants for "registering for NHS Digital's Full Digital Breakfast: Let's talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am."
Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, "along with guest speakers, will have a conversation about the ongoing protection and how an increasingly digitised world means we must be super vigilant and cyber secure, where cyber hygiene is essential in protecting patients."
According to sources caught up in the email chain, NHS Digital, which provides IT for health and social care in England, sent the emails in an attempt to change the invite details. The fourth was a cancellation "again with every single person copied in," one healthcare techie told us.
"They have subsequently put an email out to a BCC list that just reiterates the meeting is on but does not acknowledge the data breach.
"Oh and it's still doing the rounds as some people have done the usual 'Reply All', which is a frustration to anyone who didn't want their emails sharing or their inboxes clogging."
The event, which is scheduled for tomorrow morning, is open to anyone who wants to register. It was estimated by people on the email chain that between 100 to 200 email addresses were shared across the attendee list. It included a mix of private individuals and private company addresses.
As one of those registered told us, the irony wasn't lost on them given the breakfast briefing subject matter: "So, not so conscious of security then."
- UK Ministry of Defence apologises – again – after another major email blunder in Afghanistan
- East London council blurts thousands of residents' email addresses in To field blunder
- Brit housing association blabs 3,500 folks' sexual orientation, ethnicity in email blunder
- 150 infosec bods now know who they're up against thanks to BT Security cc/bcc snafu
- Stop replying! pleads NetApp customer stuck in reply-allpocalypse
An NHS Digital spokesperson said of the issue: "We take our responsibility to safeguard personal data extremely seriously. This was an invitation to a closed event sent to individuals who had confirmed they wished to attend.
"As soon as we became aware of concerns we took immediate remedial action including reporting the incident for further investigation and deleting the original invitation.
"We seek to continually improve our processes and will ensure we provide delegates with an alternative means of attending our events in future."
The Reg has also asked the UK's Information Commissioner's Office if anyone has reported the screw-up, and it said it hadn't yet received a report. A spokesperson said: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust