1136 victims of crime have had their email addresses inadvertently shared with one another, according to reports.
The victims – mostly of theft and criminal damage – were emailed on Monday as part of a survey into whether victims felt they were receiving a better service after the introduction of a single telephone number for an investigation unit in London .
The emails were sent in seven batches, meaning between 118 and 197 other people saw each email address, when “human error” left addresses entered in the wrong field.
In a nutshell, people should have been contacted via “bcc:” (blind carbon copy) rather than “cc:”
A Metropolitan Police spokesperson said:
No other personal details were revealed and we are contacting everyone affected to explain what happened and to apologise.
Scotland Yard said they were now reviewing their processes in relation to email surveys and had referred the case to the Information Commissioner’s Office as a matter of course.
An ICO spokesperson confirmed they had received the referral and were looking into it.
To be able to serve a penalty we have to demonstrate that a breach caused substantial damage or distress, or that the organisation knew or ought to have known that there was a risk this could have happened.
The maximum penalty the ICO can issue is £500,000, but that’s often for very serious cases where the data breached is of an extremely sensitive nature.
To err is human, and no doubt many of us have accidentally cc’d people we meant to bcc in the past.
Let this unfortunate incident be a reminder to all organisations to be very careful when contacting people via email.