Another two examples of email data breaches
Yet another example of an email using the CC (carbon copy) field instead of the BCC (blind carbon copy) field. This time, it was Premiership side West Ham United Football Club.
The email was sent to a group of supporters regarding their ticket allocations for an away game at Wolverhampton Wanderers.
Once they (The Football Club) discovered the error, attempted to recall the email, but the follow-up email apologising for the error resulted in the email addresses being shared, yet again.
Their email read:
“You may have received an email that included a segment of email addresses of those who were also successful in the ballot […] The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner’s Office (ICO).
The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared.”
The ICO is aware of the incident and is “making enquiries”.
A few weeks later, Aldershot FC offered a tour of their stadium and blasted a mail out to several hindered recipients. Seven of them forwarded said email to me. Many many GDPR breaches to be discussed there.
While this incident was undoubtedly caused by human error, it is a reminder that an organisation’s employees can pose a significant threat to data security. In this instance, no personal information other than email addresses was leaked, but it just goes to show how easy it is to make mistakes – that could quite easily compromise other, more sensitive personal information.
What can you do?
To combat and prevent these mistakes and other careless actions, consider educating your employees on the risks and potential consequences of misusing the Cc and Bcc fields. It sounds obvious, but data breaches caused by human error are quite common.
Both clubs failed to introduce a GDPR Culture and help employees buy in to data protection. Both clubs failed all on their mailing lists.
GDPR and the 25th May will always be linked as some sort of deadline day. If you didn’t achieve compliance by then, the world would come to an end. But […]
Data breaches can happen to any business. Incidents at large organisations – such as Dixons Carphone, Superdrug, BUPA and most recently BA, twice, all hit the headlines. This would give anyone the […]
Yet another example of an email using the CC (carbon copy) field instead of the BCC (blind carbon copy) field. This time, it was Premiership side West Ham United Football Club. The email was sent […]