back to article BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts

Amid the chaos of new European data protection rules coming into force at the end of last week, organisations are apparently struggling to grasp even the most basic of technical challenges, sending out non-blinded emails to their users. Topping the irony charts is ad-blocker Ghostery, which sent users an email with more than …

  1. }{amis}{


    I've had to give this advice to various departments over the years: If an external email has to go to a bunch of people then use a professional mass mailer.

    Usually accompanied by a domain rule specifying that external email cant be sent to more than 5 recipients.

    1. AMBxx Silver badge

      Re: Doh!

      It's not helped by Outlook hiding the BCC box by default. If MS have the sense to check for the word 'attached' in an email and warn about forgetting the attachment, you'd think they'd do something about 100s of to or cc addresses.

      1. Joe 37

        Re: Doh!

        Or; my pet hate.

        Idiots who use "Reply to All" on every ********** single email.

        Outlook makes this far, far too easy.

        It is an option that ought to be hidden under thirty menus. In the last thirty years of email use I've used it once.

        So why, **********ing why is it an option at all?

        1. Oengus

          Re: Doh!

          I have seen more than one e-mail where the person hit "Reply All" when they meant to only respond to the originator with some very "pointed" comments about some of the other recipients... One such response landed the person in front of HR and resulted in an official reprimand...

          1. Anonymous Coward
            Anonymous Coward

            Re: Doh!

            I worked for a European energy company, and an email to all employees was sent in one of the directors names. Some fool "replied all" with their branespeak, and in a company with over 40,000 employees copied in, a small additional number of fuckwits were persuaded that this was a good way to raise their profile. This snowballing of bilge rapidly threatened to take down the entire IT infrastructure, until the CEO waded in and sent an email to all employees, promising that the next person using "reply all" to company wide email would find a compulsory meeting with him in their Outlook calendar, including paid travel to the German head office.

            Surprising how many people suddenly realised that it was possible to NOT "reply all" - although only for a few days. I've concluded that "reply all" is the digital equivalent of liking the sound of your own voice.

      2. John Brown (no body) Silver badge

        Re: Doh!

        "It's not helped by Outlook hiding the BCC box by default. If MS have the sense to check for the word 'attached' in an email and warn about forgetting the attachment, you'd think they'd do something about 100s of to or cc addresses."

        Our company recently switched to O365. Outlook defaults to reply-all. Even the Android app does too. You have to click the tiny arrow on the button to change it or go into the settings to change the default. There is evidence in my inbox that demonstrates that at least some people in the company haven't figured that out yet.

  2. Hollerithevo Silver badge


    I like the idea of all the freelancers meeting up for drinks or coffee. Comparing notes, deciding that strength lies in solidarity, etc.

  3. wolfetone Silver badge

    GDPR Happened?

    Are you sure?

    Because I'm still getting emails from companies selling me stuff, when those same companies asked me to keep in touch with them, which I refused to do.

    Haven't had an email from my Nigerian Prince friend though. Poor guy, must be awful having to deal with this GDPR thing while not being able to access the money in his friend's account without my help.

    1. EBG

      Re: GDPR Happened?

      Just got a spam from the European Commission. And another from

  4. LeahroyNake

    it only takes

    One idiot, (normally in sales)to select the wrong field and you will have a serious issue.

    It's easy enough to prevent in exchange etc by setting maximum recipients to a sensible value. At least it will limit the damage.

    Sophos SEA (mail scanning appliance) can also do rule checking on outgoing mail to prevent this problem as well.

    1. Adam 52 Silver badge

      Re: it only takes

      If your IT is encouraging people to do this in Outlook then IT is the problem. Customer comms should always be done from a dedicated tool (one that enforces consent and respects opt-outs), and customer email addresses should never be available in bulk outside of that tool.

      And of your IT department doesn't provide that tool... well these days it's easy to bypass them. Sure it'll cause long-term problems but if you don't then you'll get short-term and long-term term problems.

  5. Anonymous Coward
    Anonymous Coward

    Since Demon mail was outsourced to Office 365 the BCC function has been reported by BCC recipients as showing all the BCC addresses. My emailer is Pegasus.

    Just sent a message to a user in my Demon subdomain from a different user in the same subdomain. Also BCC'd it to another user in that domain - and also BCC'd it to a user in a different domain.

    The first received message's headers just shows the To: field.

    The second message shows the same To: field - followed by the line "BCC:" with both the other two recipients' addresses which are in different domains.

    That looks definitely like a breach of expected behaviour.

    The third one has not arrived - possibly that is for the other BCC'd domain which should have done a redirection.

    1. Anonymous Coward
      Anonymous Coward

      "My emailer is Pegasus."


      Just repeated the experiment to four addresses.

      All addresses are in my Demon subdomain. One To: and three bcc:

      Instead of receiving four emails - there are only two.

      First one raw view only has the To: field

      Second one has To: field - followed by the line "BCC:" - containing all three bcc addresses.

      Something is wrong with the Office 365 handling of a header's BCC field - or Pegasus is coding the multiple addresses in a way that is not recognised beyond the first? one.

      This the anonymised raw header view - the To: keyword is mixed case - the BCC is uppercase.


      Date: Tue, 29 May 2018 15:55:26 +0100

      Subject: bcc test2


      1. Anonymous Coward
        Anonymous Coward

        Mail goes to everyone in the RCPT_TO … To/cc fields are just for display. You wouldn’t have a bcc field - that kind of defeats the purpose.

        1. Anonymous Coward
          Anonymous Coward

          " You wouldn’t have a bcc field - [...]"

          Without digging out the RFC. My expectation is that my email application sets the outgoing header To: field for all the visible addresses - and sets the outgoing header BCC: field for all the bcc addresses.

          When that outgoing email arrives at my service's mail server - it would then get duplicated as separate emails to each recipient. The BCC field is either omitted on those emails - or used to tell each single bcc recipient that what they have received was sent as a blind copy.

          The Office 365 mail service seems to be recognising the BCC: field in the Pegasus outgoing header - but then acting as if there is only one bcc address - with the remainder of the addresses being treated as comment? text for that address.

          1. Anonymous Coward
            Anonymous Coward

            "Without digging out the RFC. "

            Have now dug it out. RFC-2822 makes various provisions for whether a blind copy recipient gets a Bcc: field in their copy of the email.

            The only thing that appears unexpected about Bcc: in RFC-2822 section 3.6.3 is that is appears to allow an option of all the Bcc addresses to be sent to each Bcc recipient. See quote below.

            That seems like a security weakness - assuming that a number of Bcc recipients are entitled to know who else was sent a blind copy?

            "In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above, but the recipients on the "Bcc:" line get a separate copy of the message containing a "Bcc:" line. (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.)"

            It still appears that this Office 365 service is not correctly interpreting the Pegasus outgoing Bcc: field of multiple addresses "folded after each comma".

            1. Jamie Jones Silver badge

              No, it means that an email sent from person A to person B, BCC to person C and person D will appear:

              Person B:

              From: A

              To: B


              Person C:

              From: A

              To: B

              Bcc: C


              Person D:

              From: A

              To: B

              Bcc: D


              I.e. as a bcc recipient, the bcc line will only show you - no-one else, presumably so people can get a warm fuzzy feeling that they were specifically bcc'd and didn't receive it as a raw forward, or by accident.

              (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.)"

              ..... i.e. most simply won't bother sending a Bcc line, but some will actually make one, containing that particular recipient only

          2. StuartMcL

            In Pegasus Mail:

            Options - Sending Mail - Checkbox 'Suppress BCC listings when sending mail" should be checked!

            To quote David Harris:

            "Suppress BCC field listings in outgoing mail BCC (Blind Carbon Copy) is a useful, but poorly-standardized feature. There are at least four ways a BCC field could be written into a message:

            It could be omitted altogether

            It could be present, but contain no addresses at all

            It could contain only each individual recipient's address

            It could contain the addresses of all people receiving the BCC

            All of these methods have adherents and detractors. By default, Pegasus Mail lists all the BCC recipients in the BCC field of mail it sends: if you would prefer that no addresses were shown in the field, then check this control. When this option is turned on, the BCC field will simply contain the text "(Suppressed)", without any addresses."

            1. Anonymous Coward
              Anonymous Coward

              "Options - Sending Mail - Checkbox 'Suppress BCC listings when sending mail" should be checked!"

              Thanks for that - and thanks to all the other people who replied.

              Pity that the suppress Bcc option apparently has to be set individually for every user identity in Pegasus - rather than just in the base "default" SMTP identity.

              Having switched on Pegasus SMTP logging I believe I now have some understanding of what happens.

              On SMTP Pegasus sends a RCPT TO: line for each address in the To: field - followed by a single copy of the body.

              It then sends a RCPT TO: line for each address in the Bcc: field. It also includes a BCC: line with all the bcc addresses - followed by a single copy of the body.

              Office 365 mail service then seems to treat the multiple addresses in my Demon subdomain as one addressee. It sends only one email for each of the two Pegasus emails sent - rather than a copy for each name. Presumably it is something to do with the multiple addresses on my Demon subdomain being classed as "alias" names in Office 365.

              That still leaves the mystery of what happened in my first test when a bcc to a different domain apparently did not arrive.

              1. Alligator

                It could be that Office 365 is not recognising comma as a valid separator for e-mail lists and is expecting semi-colon. Pegasus however, is happy with comma as an e-mail separator.


  6. Hans Neeson-Bumpsadese Silver badge

    "a shower of pillocks"

    A most excellent phrase, and one which I rarely use in everyday conversation despite there being many opportunities for doing so. I shall endeavour to employ the phrase more frequently.

    1. Crisp

      Re: "a shower of pillocks"

      Shower does work well as a collective noun for pillocks. I wonder if there are other collective nouns for other designations?

      Like a pantload of arses?

  7. Symon Silver badge

    You'd have to be a right shower of pillocks to cock up email privacy.

    p.s. May I suggest spamgourmet? Spam, yum yum!

    1. Anonymous Coward
      Anonymous Coward

      Re: You'd have to be a right shower of pillocks to cock up email privacy.

      Nice catch / bookmarking... How the mighty fall. Er wait... Isn't this the same Reg that didn't use HTTPS until last week, and requires Adblockers to block Facebook/Google Big-Slurp-Inc?

  8. This post has been deleted by its author

  9. K

    rather than "BCC is hard"...

    I read that as "BBC is hard.." and assumed it must a fetish and related to pornh*b...

    Then I started to wonder, if I spend too long on that site?!

    But it goes to show, our mind often completely mis-interprets what is in front of it!

    1. caffeine addict

      Re: rather than "BCC is hard"...

      It's always sticky when your brain replaces one word with your mother because it looks right with out context.

  10. Wellyboot Silver badge

    Email sending tool

    >>Unfortunately, due to a technical issue between us and the email sending tool we chose<<

    Then choose a different tool from the marketing dept to send emails.

    Mines the one with the copy of 'e-mail best practise' in the pocket

  11. Anonymous Coward
    Anonymous Coward

    Its 2018

    Shouldn't all email clients ask you for confirmation if you CC more than 20 addresses, and suggest using BCC to prevent reply all storms?

  12. Anonymous Coward
    Anonymous Coward

    'Stopped using 3rd-party email automation platform'

    Oh boy, isn't this the excuse of the hour. How many other services require sharing people's data with 3rd parties with the sole narrow justification of cost savings etc. Following GDPR, I look forward to some of these services coming back home so to speak. Don't you? Here's an example... powered emails started arriving this week. But there's no way to load the webpage to check the consent settings, or email anyone to explain it isn't working. What's the odds the ass who put this together was signed-in from their own local network, and didn't test logged-off or on an outside network / other device, so everything only 'appeared to work'!

    This is my 10th case seeing this just on a personal level. Jesus Christ when will firms start testing this on outside networks and devices before assuming they're compliant! Even better than that though... Start asking, whether you should even be holding onto people's email addresses. Why is there NO audit process? In all 10 cases this week, the firms involved had no right to keep my email anymore! Its just a liability to them, WTF?

    1. RancidOrange

      Re: 'Stopped using 3rd-party email automation platform'

      If the companies concerned cite Legitimate Interest as the reason for holding on to your email address they don't need to have your consent - they just need a legitimate interest, which could be almost anything.

  13. mark l 2 Silver badge

    It would be better if mail clients showed BCC as the default and you had to enable CC when you needed it, better to be safe and send mail as BCC and find out later you wanted to send it CC than vis versa.

    1. Intractable Potsherd Silver badge

      Agreed. I've said for years that the defaults should be Reply and CC, with Reply All and BCC more difficult to access, and given exactly your reason for why. I used to get most people agreeing with me, but now people don't seem to understand what I'm getting at - is it a function of Facebook/Twitter etc where people expect everyone else to be suffer every random thought?

      PS I notice that the obligate downvoter is busy again!

  14. TheProf Silver badge


    I don't use Twitter so I don't know if giving out one's Twitter name is a silly thing or not. Does publishing one's name in a rant about email addresses make sense?

  15. Cian Duffy

    Got one from the Revenue Commissioners here - the statistics division, so one that has legitimate reason to be contacting people directly - with about 50 in the CC list. They attempted an Outlook recall after and I'm sure someone has satisfied themselves that was enough to 'fix' it.

  16. Anonymous Coward
    Anonymous Coward

    Does GDPR cover responsibility for Blocking Malware:

    1: Firms with post-GDPR permission to send mailouts, but failing to filter out Malware-Attachments / Malware-Links?

    2: Firms Hosting Public-Forums to promote / support their products. But failing to take down Malware links from Bots?

  17. This post has been deleted by a moderator

    1. Intractable Potsherd Silver badge

      I haven't heard of that? Any details anywhere?

    2. Anonymous Coward
      Anonymous Coward

      @Jake Maverick

      ".I used to work for BT when they decided to publish everybody's name and address on the Internet."

      If you're saying that reverse phone lookups are in breach of the European Convention on Human Rights, that's nonsense. They've been available online in Denmark since the 1990s.

  18. Displacement Activity

    BCC is actually slightly hard

    I've written a mass mailer, which uses anonymised addressing. The main confusion is that your mail program talks to the rest of the world over SMTP, which knows nothing about "BCC". Quick overview here:

    1. tiggity Silver badge

      Re: BCC is actually slightly hard

      The mass mailer (I wrote for a club I help run) just sends (same) mail to each user, so bandwidth heavy but no chance of email address leakage. As the membership is only in 3 figures and the mailings are just text then the bandwidth "waste" is not really an issue, but would be if mail numbers were significant

      1. Displacement Activity

        Re: BCC is actually slightly hard

        Sounds like mine is pretty much the same - also for a kid's club I helped to run (small world!). I've got an extra level of security - everyone gets their own club address, and has to post through a proxy, which modifies all the mails so that no-one ever gets a 'real' outside-world mail address. It never uses BCC, of course - it's far too wooly.

  19. onefang

    Spell checkers are hard, OK?

    'Nutrition biz Vitl – which pushes "tailor-made" diet and liefstyle plans'

    The innerwebs tells me that "lief" is indeed an English word, but asks me "Did you mean: lifestyle" when I tried searching for "liefstyle". My own spell checkers underline "liefstyle" with a red squiggly line, but are happy with "lief". Maybe El Reg editors are colour blind, and don't spot the red squiggly lines? Or perhaps Vitl customers would just as lief have a tailor made diet?

  20. Ynox

    My old university computing society did the same. Nice email with 1000 emails in 'To'.

    A fairly friendly (but a bit arsey) email later and I got a data breach email from them the next day announcing what they'd done.

    And yeah. I also work in a place where 'Reply All' is pretty much the default option. Cue hundreds of email a day.

  21. Dave 15 Silver badge


    There is a problem with BCC in some email systems if you use encrypted mails.

    Some systems prefer to encrypt the mail contents and then send the decryption keys in lock boxes on the front of the email... and some include all the bcc recipients in the lock boxes. If you know how to find these then you can find all the recipients - tos, ccs and bccs. Not all systems are that bad but often those doing encrypted from mobile and some of the MS products do this (others create separate mails for each bcc recipient but that is clearly costly for data on mobile especially)

    1. David Nash

      Re: mmm

      What is a "lock box"? what is the "front" of an email? If you mean sending the key with the encrypted email, what's the point of encrypting it?

  22. Mark Simon

    As a contract trainer, I did some work for a training company which neglected to pay the trainers. The owner sent an email wishing us all a happy Christmas and craving our indulgence while the company worked its way through its cash flow problems.

    Unfortunately, the owner put us all in the CC list, and one of the others replied to all of us that the owner has a history of bad debts and was never going to pay up. This quickly developed into an impromptu action group as we banded together.

    It turned out that the owner had been barred from running a company, and had stolen money to manage his cash flow. He ended up serving time in prison.

    We never did get our money, but at least I can say that somebody who foolishly CCed the mailing list ended up in prison, so that should be an object lesson.

  23. Welshcat

    I had a brilliant one, not only did a Forklift Truck Training company send out just CC'd with all their customer and supplier database listed, in the ensuing apology a couple of minutes later some bright spark used the original e-mail to profoundly apologise to all the recipients and yes, included all the said customer and suppliers e-mails again. MASSIVE FAIL.

  24. Flakk

    ...a technical issue between us and...

    ...the email sending tool we chose...

    What a TERRIBLE way to refer to your summer intern!

  25. Anonymous Coward
    IT Angle

    IT in so many forms

    So I come the the comments section to comment on GDPR and/or BCC and end up commenting on interface design.

    You think they would hide 'CC' and 'Reply All' in the menu and just use buttons for BCC and Reply single

    {note to self :Edit tool bar}

    IT appears with regular software update, that IT's not the good stuff being updated but the bad design, bugs, holes and the like. IT will continue far into the future.

  26. Archivist


    I was reading my work emails when a seriously politically incorrect joke appeared in my in box. It had been sent as a reply to all. It was swiftly followed by an Outlook recall but remained in my Outlook web client long enough for me to save it (it was very funny).

    Needless to say the individual who sent it departed shortly afterwards.

  27. rnorman345

    BCC Secure?

    So we believe that BCC secures the email addresses?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021