Skip to content
Naked Security Naked Security

Basic email blunder exposed possible victims of child sexual abuse

The Independent Inquiry into Child Sexual Abuse sent out a mass emailing in which a staffer mistakenly used "To" instead of "Bcc".

When it comes to mistakenly putting recipients’ email addresses in the “To” field instead of the “Bcc” field, happy endings aren’t common. But it was most particularly damaging when that common email misstep was made by the UK’s Independent Inquiry into Child Sexual Abuse (IICSA), which sent out a bulk email that identified possible victims of child sexual abuse.
The Information Commissioner’s Office (ICO) said on Wednesday that it’s fined the IICSA £200,000 (USD $260,000) over the blunder.
The Inquiry covers England and Wales. It was set up in 2014 to investigate the extent to which institutions – specifically, according to the BBC, local authorities, religious organizations, the armed forces and public and private institutions – failed to protect children from sexual abuse.
The Inquiry’s failure to keep confidential and sensitive personal information secure is a breach of the Data Protection Act 1998, the ICO said.
According to the ICO, on 27 February 2017, an IICSA staff member sent a blind carbon copy (Bcc) email to 90 Inquiry participants telling them about a public hearing. After somebody spotted an error in the email, a correction was sent out. But in that correction, email addresses were mistakenly entered into the “to” field, instead of the “Bcc” field.
That glitch let recipients see each other’s email addresses and thereby identified them as possible victims of child sexual abuse.
Participants’ full names were included – or were part of an attached email signature – in 52 of the email addresses.
One of the recipients alerted the Inquiry to the breach. He or she entered two more email addresses into the “to” field, then clicked on “Reply All.”
It snowballed from there. First, the Inquiry sent out three emails, asking the recipients to delete the original email and not to circulate it any further. One of those emails generated 39 “Reply All” emails.


One recipient told the ICO he was “very distressed” by the security breach. In total, the Inquiry and the ICO received 22 complaints.
ICO Director of Investigations Steve Eckersley:

This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen.
People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.

The error could have been avoided with more staff training, a different email account, and a lot less trust in the IT company hired to manage the mailing list, the ICO said. Specifically, its findings:

  • The Inquiry failed to use an email account that could send a separate email to each participant.
  • The Inquiry failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the “Bcc” field.
  • The Inquiry hired an IT company to manage the mailing list and relied on advice from the company that it would prevent individuals from replying to the entire list.
  • In July 2017 a recipient clicked on ‘Reply All’ in response to an email from the Inquiry, via the mailing list, and revealed their email to the entire list.
  • The Inquiry breached their own privacy notice by sharing participants’ emails addresses with the IT company without their consent.

What to do?

It’s not easy to muster up good advice for people who make the To/Bcc mistake. The fact that it happens so regularly (if you haven’t done it, I bet you know somebody who has) suggests that there’s either a basic design flaw in email, or that normal email clients might be the wrong tool for the job.
If you’re sending sensitive emails you might want to look at hiding your email client’s “To” and “CC” fields so that you simply can’t enter email addresses in a way that allows them to be shared. Alternatively, you could use an email marketing platform that sends an individual copy of your email to every individual on a mailing list.


9 Comments

That fine works out to just over £2000 for each of the 90 inquiry participants. I bet not a single one of them will see any of that money. Happens all the time.

It sounds like the ICCSA is a government agency, so one government agency is fining another government agency. Since government agencies get all their money from taxpayers, we have the taxpayers fining themselves a lot of money. None of it comes from the bureaucrat’s pockets so what is the point? Most government agencies budget slush funds for legal expenses, so it’s just another day at the office. At least when a private company is fined the money comes from the shareholders’ pockets; they in turn can pressure company management to do better. Not so with government agencies.

It’s a fine. Why would you think any of the participants would get money from that?

This type of mistake could be reduced by some very simple tweaks in email clients, such as Outlook. If a “send to list” button was added alongside the “send” button and it caused all recipients to be BCC it would do a great deal to improve privacy anyway. Or it could be called “Send Privately” – to be more consistent with “In Private Browsing” a feature that people are already familiar with.

This is actually an excellent suggestion, however there are hundreds (if not thousands) of email clients out there, so this would probably require some sort of legislation to accomplish. Personally, I would support this type of legislation, although as a general rule I prefer governments keep their noses out of the business arena. Governments have enough trouble policing themselves, let alone business.

I think if you cover Outlook and maybe the 2 or 3 other biggest email clients that are used in businesses, you cover most of them. I mean, I don’t even know a company that doesn’t use Outlook.

There are lots of systems that regulate themselves–and lots of software developers receptive to feature requests–no need to wait for legislation.
Great software means happier users, leading to word-of-mouth referrals and more users/greater market share.

Or something like the MAPILABS “send personally” tool which converts a group or list to individually sent emails

The real problem here is that someone was (probably) just creating a list of names in his e-mail client when he should have been using some kind of bulk-mailing service (or other kind of list-server).
Use the right tool for the right job. An e-mail client is not a list service. And some guy who thinks he can save a buck by pretending otherwise is not an IT professional and should not be managing sensitive data.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?