£200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder

Think before you click ‘send’, or get your mailing list software to do the thinking for you.

£200,000 fine for exposing possible abuse victims in classic CC/BCC email blunder

The UK’s Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 for revealing identities of historic child abuse victims in a mass email.

The IICA was set up four years ago to investigate which institutions had failed to protect children from sexual abuse. As you can imagine, many vulnerable people may have communicated with the Inquiry and would have an expectation that their sensitive personal information would remain secure and confidential.

Unfortunately a simple email blunder exposed 90 of the participants, breaching the Data Protection Act.

Sign up to our free newsletter.
Security news, advice, and tips.

Announcing a £200,000 fine, the Information Commissioner’s Office (ICO) explained what went wrong:

On 27 February 2017, a staff member sent a blind carbon copy (“bcc”) e-mail to 90 participants informing them about a forthcoming public hearing. He noticed an error in a link contained within the body of the e-mail and sent a correction by entering the participant’s e-mail addresses into the ‘to’ field instead of the ‘bcc’ field, by mistake. The recipients of the e-mail could therefore see the e-mail addresses of all the other recipients (“the security breach”).

52 of the e-mail addresses contained the full names of the participants or had a full name label attached, and 23 included a partial name.

In response to this terrible but all-too-common privacy goof, the Inquiry told a supplier to set up a mailing list for participants. Unfortunately the mailing list was not properly tested before going live, and the Inquiry trusted its supplier that individual recipients would not be able to reply to the entire mailing list.

You can probably guess what happened next…

On 20 July 2017, a recipient clicked on ‘Reply All’ in response to an e- mail from the Inquiry via the mailing list. This revealed the recipient’s e-mail address to the entire mailing list, contrary to the Company’s advice. Four more participants revealed their e-mail addresses to the entire mailing list by clicking on ‘Reply All’ when replying to the recipient’s e-mail.

Despite promises that anyone registering on the forum would have their details stored securely, and not shared with any third parties, this wasn’t the case. The users’ email addresses were shared with the IT company setting up the mailing list without their consent.

Fining the IICSA £200,000, the ICO explained where failings had occurred:

  • The Inquiry failed to use an email account that could send a separate email to each participant;
  • The Inquiry failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field;
  • The Inquiry hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list;
  • In July 2017 a recipient clicked on ‘Reply All’ in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list;
  • The Inquiry breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

Email redAll of these problems could have been avoided if properly-configured and tested mailing list software had been implemented in the first place, or if the Inquiry’s email clients had warned that they had a ridiculously large number of people in the CC field and asked for confirmation that the email really should be sent.

How hard would it be for email systems to make that check? Or even to spot that a large number of people at different domains have been cc’d and perhaps that might indicate a human goof, and a suitable warning message should be displayed?

The Inquiry and the ICO received 22 complaints about the breach, and one complainant told the ICO that they were “very distressed” by what had happened.

The IICSA has apologised to affected individuals, but the damage has already been done.

The IICSA is far from the first organisation to breach innocent people’s privacy in this fashion and it won’t be the last. Other organisations would be wise to learn from their mistakes, if they wish to avoid causing similar harm (and receiving similar financial penalties) in future.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “£200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder”

  1. Jim

    Who receives the £200,000?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.