To BCC or not to BCC – that is the question data watchdog wants answered

Trending 2 months ago

A information regulator has reminded companies they request to return attraction while penning emails to debar unintentionally blurting retired individual data.

Unsurprisingly, overmuch of nan UK's Information Commissioner's Office (ICO) guidance comes down to nan correct usage of reside fields for recipients and considering nan contented of an email earlier hitting nan bulk nonstop button.

The ICO warned companies that unit request training connected really to decently usage nan Carbon Copy (CC) and Blind Carbon Copy (BCC) fields.

The watchdog said it had "seen hundreds of individual information breach reports wherever a sender has misused nan 'BCC' field."


Britain's Ministry of Defence fined £350K complete Afghan expert BCC email blunder


The misuse ranges from simply forgetting to usage nan BCC section to placing confidential accusation successful emails that aren't encrypted and tin beryllium viewed arsenic they travel done servers connected their measurement to their destination.

As a reminder for immoderate Reg readers surviving nether rocks, utilizing nan "BCC" section intends that recipients cannot spot each other's email addresses - useful for a bulk email pinch a ample mailing list. "CC" intends nan email addresses tin beryllium seen, which tin beryllium useful successful ensuring a recipient is alert of who other is getting nan aforesaid email.

The ICO cited 2 lawsuit studies wherever nan "To" aliases "CC" fields were utilized erroneously alternatively of "BCC." In nan first, an NHS Trust manually copied patients' email addresses and pasted them into nan "To" section to nonstop a bulk email astir an creation competition. While nan email didn't incorporate confidential information, nan beingness of each those email addresses successful nan "cc" section meant recipients could place progressive patients of nan trust. The wellness assemblage was fined for nan error.

In nan 2nd lawsuit study a kindness performed an incomplete migration to a unafraid email platform. While they waited for nan occupation to complete, emails still needed to beryllium sent. For 1 of these emails, a unit personnel erroneously added addresses to nan "CC" section manually. Email addresses were, therefore, visible to each recipients. The email was an schedule for an arena and was sent to 105 members of an HIV advisory board.

The ICO noted: "65 of nan 105 email addresses intelligibly identified recipients, pinch 2 recipients contacting nan kindness to item nan incident."

Email is decades old, and it is unsettling that group are still making errors successful this way. Hence nan ICO's reminder that organizations request to beryllium alert of champion practices and return a risk-based attack to email.

  • NHS Digital exposes hundreds of email addresses aft BCC blunder copies successful full induce database to 'Let's talk cyber' event
  • UK Ministry of Defence apologises aft Afghan interpreters' individual information exposed successful email blunder
  • Reply-All large wind flares arsenic email announcing privateness argumentation puts 500 addresses successful nan 'To' field, not 'BCC'
  • Brit lodging relation blabs 3,500 folks' intersexual orientation, ethnicity successful email blunder
  • 150 infosec bods now cognize who they're up against acknowledgment to BT Security cc/bcc snafu
  • Brit watchdog fines kid activity maltreatment enquiry £200k complete wide email blunder

As good arsenic ensuring everyone understands nan quality betwixt "CC" and "BCC," nan ICO recommends rules successful email systems to pass erstwhile "CC" is being used, and to adhd immoderate hold successful sending emails to springiness unit clip to correct errors earlier a connection is sent. The watchdog besides advised that group should move disconnected those annoying seemingly adjuvant autocomplete functions that mightiness consequence successful an unexpected email reside being used.

The ICO besides issued a reminder that email mightiness not beryllium nan champion transportation method, moreover if utilizing "BCC." It noted that moreover if a third-party supplier is being utilized to nonstop emails connected behalf of an organization, nan organization's ain requirements must beryllium followed.

"Email," said nan ICO, "has progressively go nan default prime for efficiently sharing information, but this doesn’t ever make it nan champion choice." ®