Incorrect use of BCC in emails major cause of data breaches

September 2023

The Information Commissioner’s Office has issued a stark warning about using the BCC field (blind carbon copy) to send email to multiple addresses. They say failure to use BCC correctly is one of the most common data breaches reported to them every year.

Such breaches can cause considerable distress and harm especially if sensitive personal information is involved. The Regulator says businesses should assess whether other secure methods would be more appropriate.

Many of us will use the BCC field, so the recipients can’t see each other’s email addresses. But it’s easy to make a mistake. The Regulator provides the following suggestions;

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.

Using BCC is not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information about recipients. Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses to consider having policies and training in relation to email communications.

HIV charity fine

The case of HIV Scotland provides a stark warning of how things can go wrong. The charity was fined in 2021 for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the ‘CC’ field. In fact, 65 of the addresses identified people by name.

Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented that assumptions could be made about individuals’ HIV status or risk from the data disclosed.

An investigation by the ICO found a number of shortcomings in the charity’s email procedures, including:

  • inadequate staff training
  • an inadequate data protection policy
  • incorrect methods of sending bulk emails by using the ‘BCC’ (blind carbon copy) method.

During their investigation the ICO discovered HIV Scotland had procured a new system back in July 2019 to enable bulk emails to be sent securely. However, at the time of the breach seven months later, they had failed to migrate the CAN email list over to the new email system. The charity still continued to use the ‘BCC’ method of emailing to the CAN list.

The BCC method of bulk email is open to human error. In this instance, the email addresses of recipients were mistakenly placed in the CC field instead of the BCC field.

The ICO’s Monetary Penalty Notice states HIV Scotland ‘failed to implement an appropriate level of organisational and technical security to its internal email systems’ which resulted in the breach of special category data.

What actions can we take?

Organisations which send bulk emails might wish to make sure:

  • staff who handle email communications have received sufficient training.
  • appropriate and robust email procedures are in place for staff to follow.
  • staff are regularly reminded of the correct procedures.

Clearly there’s a risk if you use the BCC method that email addresses could accidentally end up in the CC field rather than the BBC field, resulting in disclosure of personal data. The ICO is indicating this method of sending should be avoided. If you regularly send emails using the BCC method, you should look to implement a bulk email solution to prevent the risk of disclosing personal data to others.

The National Cyber Security Centre has a useful Email Security Checklist.