The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, has ‘fessed up that last month it made the same kind of boo-boo many others have committed before – sending out an email with a long list of email addresses listed for all to see in the Cc: rather than hidden away via the Bcc: field.
The email, which exposed the email addresses of 38 journalists and editors on 24 May, was ironically part of a campaign designed to raise awareness of Europe’s GDPR data protection legislation.
The email’s translated subject line?
“What does the Privacy Act mean to you”
It’s hardly the biggest data breach the world has ever seen, but the fact that it was caused by the agency which has been policing the activities of the likes of Facebook, Uber, and Microsoft inevitably raised some eyebrows.
Journalists quickly asked whether the data protection agency would be reporting itself to… itself. Which, it appears, they did… albeit not within the 72 hours required by GDPR legislation.
Full marks for transparency I suppose, but probably better if it hadn’t been quite so transparent with individuals’ data in the first place.
Hear more about this incident, and other organisations who have made similar blunders, and how they might be stopped, in this episode of the “Smashing Security” podcast: