back to article Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field

Micropayments company Coil has emailed users its new privacy policy but placed hundreds of their addresses in the “To:” field and therefore breached their privacy. The mail had the Subject line “Updates to Coil’s Terms and Privacy Policy” and offered links to the document. The Register has read it and can report that while it …

  1. Woodnag

    Message to CEO Stefan Thomas

    Saying "we take privacy extremely seriously" is clearly a lie.

    You didn't.

  2. Giles C Silver badge

    Incompetent idiots

    I run a small club and just use a mailing list provider (mail chimp) to get information out to each member. The software makes sure you can’t do this sort of mistake.

    This needs the people responsible to take full liability along with the directors, so they understand how much of a problem they have caused.

    1. Anonymous Coward
      Anonymous Coward

      Re: Incompetent idiots

      According to the email headers, they used some solution that ultimately uses the Mailgun API. They probably have some custom CMS that uses Mailgun. Their MX records say they use G Suite but I'm guessing they didn't send it out from their outlook client or whatever

  3. Neil Barnes Silver badge

    I can't help feeling that there is a market for an email client

    Which doesn't include 'to' or 'cc' fields in the address. Just bcc...

    I'm no Office expert - but is it not possible e.g. to configure Outlook or Outlook365 to not show those fields?

    1. Lee D

      Re: I can't help feeling that there is a market for an email client

      Hint: Outlook and Exchange are the single least-configurable things you'll find for what you think should be simple features.

      To: BCC: and CC:, signatures, email delivery delay/recall, greylisting, searching through all mailboxes and performing an action on an email, assigning permissions to a particular person to manage those email accounts, etc.

      Everything you think "That should be easy", forget it. Or be prepared to faff in a web GUI for ages, or write some Powershell to get the job done. And, in many cases, pay through the nose on a per-user, per-month basis to some random third-party in order to do it in an anywhere-near vaguely-sensible fashion (e.g. Exclaimer for signatures)

    2. Pincushion Man

      Re: I can't help feeling that there is a market for an email client

      From what I recall, SpamAssassin hates messages with multitudes BCC recipients and not a single user in the To: field.

      If you are saying that if we put users in the To: field, we make individual messages to the users in the SPAM, err, Marketing client, then yes, I agree, they should do that. Give them the send as one message option with a big red blinking warning box that says, "Enable send as one message with multiple To: recipients at your own peril".

      1. Neil Barnes Silver badge

        Re: I can't help feeling that there is a market for an email client

        So to keep SpamAssassin happy, only have a BCC field and simply put the first address in the TO field.

        Or better yet, break it into seven million individual messages, each to one recipient. Isn't that what the mail server is doing anyway? It just moves it one step nearer the user.

  4. Already?

    A County Council planning dept did the same to me and 40+ others, emailing an apparently random group with a change to planning policy. The culprit's response to having it flagged up was basically 'meh', until the analogy that it was akin to me standing in the middle of town handing our her mobile phone number to 40 passing strangers lodged in her head. A meaningless and too-late apology followed.

  5. EnviableOne Silver badge


    Says it all

  6. Doctor Syntax Silver badge

    "how we interface with our mailing list provider"

    In other words the email didn't come from Coil but from some mailing house spoofing Coil in the From: field. Another business that takes security so seriously that it trains its customers to be phished.

    1. Robert Helpmann??

      how we interface with our mailing list provider

      Another business that takes security so seriously that it trains its customers to be phished.

      More like another company that takes security so seriously, it farms it out to unspecified third parties. Nothing like increasing the corporate attack surface as a security goal.

      1. Lee D

        Re: how we interface with our mailing list provider

        Colleagues keep asking me why their <external third party> mass-mailing emails can't come from our proper domain but come from <company name>@massmailing.<external third party>.tv or whatever.

        "The same reason that we don't let them telephone our customers directly and claim to be us."

        1. Bronze badge

          Re: how we interface with our mailing list provider

          My favourite is when an adjacent department purchased a cloud mass mailing service without telling us and tried to send messages spoofing our primary domain. When they put a ticket in asking why it was going to people's spam folder, we only learned it was them that purchased the service after a day-long investigation, from someone outside of that department.

          Cloud was a mistake, as it allows just about anyone to purchase things they should not have and set them up with little technical knowledge.

  7. Mike 16 Silver badge

    Ah, Memories

    While working at a game developer that had signed up to make games for a much-anticipated console, I got an email from the console maker, "To:" a hundred or so people, all of whom had been sternly cautioned to not divulge that we would be producing content for their new console.

    Not a lot of surprises as we verified who were our competition, but a bit of "Sauce for the Goose". We could have been terminated from the program for leaking that info, but them? Meh.

  8. Flywheel Silver badge


    That's all.

  9. Anonymous Coward
    Anonymous Coward

    This happened at work the other day, 800 or so email addresses. A smattering of private domain name addresses (presumably personal services companies of employees / contractors who are using those addresses instead of proper work email addresses) and a load of third party contractors. Anyhoo I reported it to IT and was then told by our DPO that in reporting it and forwarding the email to IT support (at their request), I had in fact committed the data breach. The DPO is adamant that everybody on the list had given consent to share the data across the organisation and wider, so no breach had occurred with the original email.

    This was the head honcho DPO and a multiple million turnover organisation

    These kinds of 'mistakes' happen every single day and nobody bats an eyelid anymore.

    I'll just get on with the day job and leave IT security to the professionals. They obviously know better than me

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022