£200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder

Graham Cluley

£200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder

£200,000 fine for exposing possible abuse victims in classic CC/BCC email blunder

The UK’s Independent Inquiry into Child Sexual Abuse (IICSA) has been fined £200,000 for revealing identities of historic child abuse victims in a mass email.

The IICA was set up four years ago to investigate which institutions had failed to protect children from sexual abuse. As you can imagine, many vulnerable people may have communicated with the Inquiry and would have an expectation that their sensitive personal information would remain secure and confidential.

Unfortunately a simple email blunder exposed 90 of the participants, breaching the Data Protection Act.

Announcing a £200,000 fine, the Information Commissioner’s Office (ICO) explained what went wrong:

On 27 February 2017, a staff member sent a blind carbon copy (“bcc”) e-mail to 90 participants informing them about a forthcoming public hearing. He noticed an error in a link contained within the body of the e-mail and sent a correction by entering the participant’s e-mail addresses into the ‘to’ field instead of the ‘bcc’ field, by mistake. The recipients of the e-mail could therefore see the e-mail addresses of all the other recipients (“the security breach”).

52 of the e-mail addresses contained the full names of the participants or had a full name label attached, and 23 included a partial name.

In response to this terrible but all-too-common privacy goof, the Inquiry told a supplier to set up a mailing list for participants. Unfortunately the mailing list was not properly tested before going live, and the Inquiry trusted its supplier that individual recipients would not be able to reply to the entire mailing list.

You can probably guess what happened next…

On 20 July 2017, a recipient clicked on ‘Reply All’ in response to an e- mail from the Inquiry via the mailing list. This revealed the recipient’s e-mail address to the entire mailing list, contrary to the Company’s advice. Four more participants revealed their e-mail addresses to the entire mailing list by clicking on ‘Reply All’ when replying to the recipient’s e-mail.

Despite promises that anyone registering on the forum would have their details stored securely, and not shared with any third parties, this wasn’t the case. The users’ email addresses were shared with the IT company setting up the mailing list without their consent.

Fining the IICSA £200,000, the ICO explained where failings had occurred:

  • The Inquiry failed to use an email account that could send a separate email to each participant;
  • The Inquiry failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field;
  • The Inquiry hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list;
  • In July 2017 a recipient clicked on ‘Reply All’ in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list;
  • The Inquiry breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

Email redAll of these problems could have been avoided if properly-configured and tested mailing list software had been implemented in the first place, or if the Inquiry’s email clients had warned that they had a ridiculously large number of people in the CC field and asked for confirmation that the email really should be sent.

How hard would it be for email systems to make that check? Or even to spot that a large number of people at different domains have been cc’d and perhaps that might indicate a human goof, and a suitable warning message should be displayed?

The Inquiry and the ICO received 22 complaints about the breach, and one complainant told the ICO that they were “very distressed” by what had happened.

The IICSA has apologised to affected individuals, but the damage has already been done.

The IICSA is far from the first organisation to breach innocent people’s privacy in this fashion and it won’t be the last. Other organisations would be wise to learn from their mistakes, if they wish to avoid causing similar harm (and receiving similar financial penalties) in future.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “£200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES