Data protection authority reports itself to itself after data breach

Privacy watchdog reports itself to itself for data breach

Oops.

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, has ‘fessed up that last month it made the same kind of boo-boo many others have committed before – sending out an email with a long list of email addresses listed for all to see in the Cc: rather than hidden away via the Bcc: field.

The email, which exposed the email addresses of 38 journalists and editors on 24 May, was ironically part of a campaign designed to raise awareness of Europe’s GDPR data protection legislation.

Sign up to our free newsletter.
Security news, advice, and tips.

The email’s translated subject line?

“What does the Privacy Act mean to you”

Ap email

It’s hardly the biggest data breach the world has ever seen, but the fact that it was caused by the agency which has been policing the activities of the likes of Facebook, Uber, and Microsoft inevitably raised some eyebrows.

Journalists quickly asked whether the data protection agency would be reporting itself to… itself. Which, it appears, they did… albeit not within the 72 hours required by GDPR legislation.

Oh dear.

Full marks for transparency I suppose, but probably better if it hadn’t been quite so transparent with individuals’ data in the first place.

Hear more about this incident, and other organisations who have made similar blunders, and how they might be stopped, in this episode of the “Smashing Security” podcast:

Smashing Security #130: 'Doctored videos, BCC blunders, and a diva'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.