Over 1000 email addresses exposed by Metropolitan Police blunder

Filed Under: Data loss, Law & order, Privacy

CC: and BCC: field1136 victims of crime have had their email addresses inadvertently shared with one another, according to reports.

The victims - mostly of theft and criminal damage - were emailed on Monday as part of a survey into whether victims felt they were receiving a better service after the introduction of a single telephone number for an investigation unit in London .

The emails were sent in seven batches, meaning between 118 and 197 other people saw each email address, when "human error" left addresses entered in the wrong field.

In a nutshell, people should have been contacted via "bcc:" (blind carbon copy) rather than "cc:"

A Metropolitan Police spokesperson said:

No other personal details were revealed and we are contacting everyone affected to explain what happened and to apologise.

Scotland Yard said they were now reviewing their processes in relation to email surveys and had referred the case to the Information Commissioner's Office as a matter of course.

An ICO spokesperson confirmed they had received the referral and were looking into it.

To be able to serve a penalty we have to demonstrate that a breach caused substantial damage or distress, or that the organisation knew or ought to have known that there was a risk this could have happened.

The maximum penalty the ICO can issue is £500,000, but that's often for very serious cases where the data breached is of an extremely sensitive nature.

Met police logoTo err is human, and no doubt many of us have accidentally cc'd people we meant to bcc in the past.

Let this unfortunate incident be a reminder to all organisations to be very careful when contacting people via email.

, , , , , , , ,

You might like

3 Responses to Over 1000 email addresses exposed by Metropolitan Police blunder

  1. Richard · 993 days ago

    "... we are contacting everyone affected ..."
    Hopefully using the correct field this time!

  2. Adding the email to the "to" field also reveals all the email address the mail was sent to. If you instead add all the email address to the "BCC" option, the only email address the receiptant will see is the sender's. The "To" field will say "undisclosed reciptants." This is especially useful if you are sending something that you don't want other to see the other reciptants (like if you are sending your CV to two rival companies) at the same time.

  3. PDuran · 992 days ago

    Ya, the dang internet privacy group (who ever it was) did this to about a million World of Warcraft subscribers when everyone petitioned them to do something about WoW using our email addresses on the forums and in other publicly displayed locations. They sent out a mass reply to all of our requests for PRIVACY and they put everyone in the CC field. Worst email ever to screw that up on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Anna Brading is Naked Security's editor. She has worked in tech for more than ten years and as a writer with Sophos for over five. She's interested in social media, privacy and keeping people safe online.