Basic email blunder exposed possible victims of child sexual abuse

When it comes to mistakenly putting recipients’ email addresses in the “To” field instead of the “Bcc” field, happy endings aren’t common. But it was most particularly damaging when that common email misstep was made by the UK’s Independent Inquiry into Child Sexual Abuse (IICSA), which sent out a bulk email that identified possible victims of child sexual abuse.

The Information Commissioner’s Office (ICO) said on Wednesday that it’s fined the IICSA £200,000 (USD $260,000) over the blunder.

The Inquiry covers England and Wales. It was set up in 2014 to investigate the extent to which institutions – specifically, according to the BBC, local authorities, religious organizations, the armed forces and public and private institutions – failed to protect children from sexual abuse.

The Inquiry’s failure to keep confidential and sensitive personal information secure is a breach of the Data Protection Act 1998, the ICO said.

According to the ICO, on 27 February 2017, an IICSA staff member sent a blind carbon copy (Bcc) email to 90 Inquiry participants telling them about a public hearing. After somebody spotted an error in the email, a correction was sent out. But in that correction, email addresses were mistakenly entered into the “to” field, instead of the “Bcc” field.

That glitch let recipients see each other’s email addresses and thereby identified them as possible victims of child sexual abuse.

Participants’ full names were included – or were part of an attached email signature – in 52 of the email addresses.

One of the recipients alerted the Inquiry to the breach. He or she entered two more email addresses into the “to” field, then clicked on “Reply All.”

It snowballed from there. First, the Inquiry sent out three emails, asking the recipients to delete the original email and not to circulate it any further. One of those emails generated 39 “Reply All” emails.

One recipient told the ICO he was “very distressed” by the security breach. In total, the Inquiry and the ICO received 22 complaints.

ICO Director of Investigations Steve Eckersley:

This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.

People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.

The error could have been avoided with more staff training, a different email account, and a lot less trust in the IT company hired to manage the mailing list, the ICO said. Specifically, its findings:

  • The Inquiry failed to use an email account that could send a separate email to each participant.
  • The Inquiry failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the “Bcc” field.
  • The Inquiry hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list.
  • In July 2017 a recipient clicked on ‘Reply All’ in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list.
  • The Inquiry breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

What to do?

It’s not easy to muster up good advice for people who make the To/Bcc mistake. The fact that it happens so regularly (if you haven’t done it, I bet you know somebody who has) suggests that there’s either a basic design flaw in email, or that normal email clients might be the wrong tool for the job.

If you’re sending sensitive emails you might want to look at hiding your email client’s “To” and “CC” fields so that you simply can’t enter email addresses in a way that allows them to be shared. Alternatively, you could use an email marketing platform that sends an individual copy of your email to every individual on a mailing list.