Data protection authority reports itself to itself after data breach

Graham Cluley @gcluley

Privacy watchdog reports itself to itself for data breach


The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, has ‘fessed up that last month it made the same kind of boo-boo many others have committed before – sending out an email with a long list of email addresses listed for all to see in the Cc: rather than hidden away via the Bcc: field.

The email, which exposed the email addresses of 38 journalists and editors on 24 May, was ironically part of a campaign designed to raise awareness of Europe’s GDPR data protection legislation.

The email’s translated subject line?

“What does the Privacy Act mean to you”

Ap email

It’s hardly the biggest data breach the world has ever seen, but the fact that it was caused by the agency which has been policing the activities of the likes of Facebook, Uber, and Microsoft inevitably raised some eyebrows.

Journalists quickly asked whether the data protection agency would be reporting itself to… itself. Which, it appears, they did… albeit not within the 72 hours required by GDPR legislation.

Oh dear.

Full marks for transparency I suppose, but probably better if it hadn’t been quite so transparent with individuals’ data in the first place.

Hear more about this incident, and other organisations who have made similar blunders, and how they might be stopped, in this episode of the “Smashing Security” podcast:

Smashing Security #130: 'Doctored videos, BCC blunders, and a diva'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.