Many of us have done it.
Rather than emailing a long list of people using the Bcc field, we’ve used Cc instead.
The result? Everyone who receives the email sees the email address of everyone else who has been sent the email.
And that may not be that big a deal if you’re sending an internal email to staff inside your company, but it’s a problem if the people you are emailing are external, and didn’t want their email address to be made public or their relationship with you to be shared with others.
Like, for instance, if the people who made the email blunder were an HIV clinic sending out its newsletter to 780 people.
As The Guardian reports, an inquiry has been ordered into how the 56 Dean Street sexual health clinic in Soho, London – which set a World Record for the most HIV tests performed in one location on World Aids Day in 2011 – managed to disclose the names and email addresses of approximately 780 people.
Health Secretary Jeremy Hunt told delegates at an NHS conference in Manchester that he was ordering an inquiry into the “completely unacceptable” breach:
“Nothing matters more to us than our own health, but we must also understand that for NHS patients nothing matters more to them than confidence that the NHS will look after their own personal medical data with the highest standards of security.
“The truth is the NHS have not won the public’s trust in our ability to do this as today’s completely unacceptable data breach at the Dean Street surgery demonstrates.”
Of course, aside from the privacy breach – these types of email goofs can also potentially assist spammers in targeting individuals with their unwanted marketing messages.
I’m not sure they need much of an inquiry to work this one out. Someone screwed up and pasted the email addresses into the wrong field.
This wouldn’t have happened if they had used properly configured mailshot software for sending out their newsletters, or if their email client had warned that they had a ridiculously large number of people in the CC field and asked for confirmation that the email really should be sent?
How hard would it be for email systems to make that check? Or even to spot that a large number of people at different domains have been cc’d and perhaps that might indicate a human goof, and a suitable warning message should be displayed?
I also hope the investigation will explore whether the newsletter’s email database was being stored securely or not.
I have no doubt that the classic Cc/Bcc error will continue to be made. Just make sure that you’re always careful when you’re emailing people that you’re not unwittingly breaking their trust.
Read more in the article in The Guardian.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.