Data protection authority reports itself to itself after data breach

Graham Cluley
@gcluley

Oops.

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, has ‘fessed up that last month it made the same kind of boo-boo many others have committed before – sending out an email with a long list of email addresses listed for all to see in the Cc: rather than hidden away via the Bcc: field.

The email, which exposed the email addresses of 38 journalists and editors on 24 May, was ironically part of a campaign designed to raise awareness of Europe’s GDPR data protection legislation.

Sign up to our newsletter
Security news, advice, and tips.

The email’s translated subject line?

“What does the Privacy Act mean to you”

It’s hardly the biggest data breach the world has ever seen, but the fact that it was caused by the agency which has been policing the activities of the likes of Facebook, Uber, and Microsoft inevitably raised some eyebrows.

Journalists quickly asked whether the data protection agency would be reporting itself to… itself. Which, it appears, they did… albeit not within the 72 hours required by GDPR legislation.

Oh dear.

Full marks for transparency I suppose, but probably better if it hadn’t been quite so transparent with individuals’ data in the first place.

Hear more about this incident, and other organisations who have made similar blunders, and how they might be stopped, in this episode of the “Smashing Security” podcast:

Smashing Security #130: 'Doctored videos, BCC blunders, and a diva'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/7bd8f0f5-3e64-4be3-bafb-74a1fc4d3b39.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.