Did you know that one of the major sources of data breaches isn’t hackers, but it’s accidentally disclosing e-mail addresses. Under the new 2018 Data protection regulations, an e-mail address is considered Personal Identifiable Information, and therefore covered by the UK Data Protect Act 2018 and the EU General Data Protection Regulation 2018 (GDPR).

Blind Carbon Copy (abbreviated Bcc:.) allows the sender of a message to conceal the person entered in the Bcc: field from the other recipients. This concept originated in the days of paper based communications and typists and originally applied to paper correspondence, but now also applies to email.

In some circumstances, the typist creating a paper correspondence had to ensure that multiple recipients of such a document do not see the names of other recipients. To achieve this, the typist either:

• Added the names in a second step to each copy, without carbon paper;
• Set the ribbon not to strike the paper, which leaves names off the top copy (but may leave letter impressions on the paper).

With email, recipients of a message are specified using addresses in any of these three fields:

• To: Primary recipients
• Cc: Carbon copy to secondary recipients—other interested parties
• Bcc: Blind carbon copy to tertiary recipients who receive the message.

The primary and secondary recipients cannot see the tertiary recipients. Depending on email software, the tertiary recipients may only see their own email address in Bcc, or they may see the email addresses of all primary and secondary recipients.
It is common practice to use the Bcc: field when addressing a very long list of recipients, or a list of recipients that should not (necessarily) know each other, e.g. in mailing lists.

There are a number of reasons for using the BCC feature:

• Bcc is often used to prevent an accidental “Reply All” from sending a reply intended for only the originator of the message to the entire recipient list.
• To send a copy of some correspondence to a third party (for example, a colleague) when you don’t want to let the recipient know that this is being done (or when you do not want the recipient to know the third party’s e-mail address, assuming the other recipient is in the To: or Cc: fields).
• To send a message to multiple parties with none of them knowing the other recipients. This can be accomplished by addressing a message to yourself and filling in the actual intended recipients in the Bcc: field.

In some cases, use of Blind Carbon Copy may be viewed as mildly unethical. The original addressee of the mail (To: address) is left under the impression that communication is proceeding between the known parties, and is knowingly kept unaware of others participating in the primary communication.

A number of serious Data Breaches have been caused by people using the To: or CC: fields as opposed to the BCC: Field when sending out messages to groups of people. This is the second most common form of E-Mail hosted Data Breaches, after sending e-mails to the wrong person.

According to figures released by the Information Commissioner’s Office, a bulk of data security incidents suffered by the healthcare sector alone in 2017-18 was due to carelessness and inadvertent errors on part of employees. For example, out of 349 data breach incidents, 72 occurred due to data being faxed or posted to incorrect recipients, 49 occurred due to loss or theft of paperwork, 45 occurred due to data sent by email to incorrect recipients, 27 occurred due to data left in insecure location, 13 occurred due to failure to redact data, and 6 occurred due to failure to use bcc when sending email.

Some Recent Examples of Email Data Breaches…
Child Abuse Inquiry
The Independent Inquiry into Child Sexual Abuse has been fined £200,000 after sending a mass email that identified possible abuse victims.

An inquiry staff member emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses. The ICO said the incident last year was a breach of the Data Protection Act. The inquiry said it had apologised and reviewed its data-handling.

Twenty-two complaints were received about the breach and one person told the ICO he was “very distressed” by it. The inquiry, which covers England and Wales, was set up in 2014 with the aim to investigate claims against local authorities, religious organisations, the armed forces and public and private institutions – and people in the public eye.

An inquiry staff member first sent a blind carbon copy (bcc) email on 27 February 2017 to 90 inquiry participants telling them about a public hearing. After noticing an error in the email, a correction was sent but email addresses were entered into the “to” field instead, revealing the addresses of the recipients.

Fifty-two of the email addresses contained full names or had a full name label attached.

56 Dean Street HIV Breach
A London sexual health centre mistakenly leaked the details of nearly 800 patients who have attended HIV clinics. The 56 Dean Street clinic in Soho sent out the names and email addresses of 780 people when a newsletter was issued to clinic patients.

Patients were supposed to be blind-copied into the email but instead details were sent as a group email.

The centre, along with others in the trust’s network, comprises Europe’s biggest sexual health service. Patients who have attended HIV clinics and opted in for the clinic’s OptionE service were able to see the names and addresses of other patients.

The clinic’s online service lets people book appointments and receive test results by email.

West Ham United
Email addresses of hundreds of West Ham football club supporters were exposed when the club sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon but pasted all the email addresses in the ‘To’ field instead of in the ‘bcc’ field.

The pasting of email addresses in the ‘To’ field instead of in the ‘bcc’ failed has occurred many times in the past, forcing organisations to apologise to affected customers or to face regulatory action for such careless mistakes.

After realising that personal email addresses of hundreds of fans were exposed by the offending email, West Ham recalled it and sent another email to affected fans, stating that the breach occurred because of an inadvertent error and that it had informed the Information Commissioner’s Office about the incident.

“You may have received an email that included a segment of email addresses of those who were also successful in the ballot. The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner’s Office.

“The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared.

“The Club will take the necessary steps to review and amend the process with the view to prevent this from happening again,” the email read.

Perth and Kinross Council
Perth and Kinross Council could face a huge fine after revealing the personal email addresses of more than 1,000 property owners. A staff member sent an email about an upcoming course on property management to every one of the landlords on its database.

Instead of masking the addresses, they sent the email to include them all – so every one of them could be read by each recipient.

Another email was sent a short time later asking every landlord to ignore and delete the offending message and confirming the council had confessed to the ICO about the breach.

Perth and Kinross Council will now face an anxious wait to discover what action the ICO will take, as the 2018 Data Protection Act gives the power to impose a fine of up to 20 million euros (£17 million).

A spokesman for the council said: “We take our responsibilities as a controller of personal data extremely seriously, and have reminded all staff of the importance of protecting that.”