back to article East London council blurts thousands of residents' email addresses in To field blunder

A local authority in East London has committed a classic privacy blunder by emailing what appear to be thousands of residents – while forgetting to use the BCC field and exposing all of the email addresseses to each recipient. The cockup, which happened on Monday, had locals in the borough of Tower Hamlets receive emails with …

  1. Anonymous Coward
    Anonymous Coward

    Apology accepted

    > "I would like to sincerely apologise on behalf of the Council for the administrative error made in sending this email identifying recipients' individual email addresses.

    At least they had the decency to call it an administrative error rather than try and claim it was a "computer error".

    It's a bit worrying that they seem to have some boiler-plate text ready to cover the situation though. I wonder what else they have to hand: We sincerely apologise for the disruption to dog walkers following the destruction of the dog litter bin in the park when a wayward rocket primary ascent stage crashed down onto it. We will endeavour to re-purpose the remains of the rocket into a new bin as soon as possible, in accordance with our recycling guidelines.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apology accepted

      I think they've just created the boilerplates from an old copy of International Maritime Codes. I can't wait for their version of "XXXV QVVX."

      ("Have found Lost Continent of Atlantis. High Priest has just won quoits contest." - Good Omens)

    2. wolfetone Silver badge

      Re: Apology accepted

      "It's a bit worrying that they seem to have some boiler-plate text ready to cover the situation though."

      So do we use the response under F for Fuck Up? Or T for TITSUP?

      Ah, here it is in C. Cock up.

      1. theblackhand

        Re: Apology accepted

        I admire your optimism that only one level of categorisation is necessary...

    3. gnasher729 Silver badge

      Re: Apology accepted

      It's a computer error. The computer's high voltage defences against incompetent users clearly failed

    4. Version 1.0 Silver badge

      Re: Apology accepted

      "It is always with the best intentions that the worst work is done." - Oscar Wilde

    5. big_D Silver badge

      Re: Apology accepted

      Internally reported is not reported to the ICO. In Germany, at least, this would fall under a reportable incident und would have to be reported within 72 hours.

    6. BazNav

      Re: Apology accepted

      Misquoting today's Dilbert for what is going on in council HQ:

      "We spaffed thousands of people's email addresses on to the interwebs. Write a press release saying we are sorry and it will never happen again."

      "Is any of that true?"

      "Part of it is."

      "Which part?"

      "We spaffed thousands of people's email addresses on to the interwebs."

  2. RSW

    It could only have been better if the email was about keeping your details secure from scammers etc

  3. Mike 137 Silver badge

    "Was a Mailchimp subscription too hard?!" asked Patrick, rhetorically.

    It has been verified quite a while back by competent lawyers that it's impossible to comply with data protection legislation if you use mailchimp. As usual, the small print in their T&Cs applicable to email recipients is not fully lawful in the EEA and UK.

    However, as a matter of course, no organisation ever seems to consider anything except the contractual terms between themselves and the service provider. They never look at the T&Cs imposed on the customers of the organisation by the service provider, and typically they're pretty poor at data protection.

    However you don't need a mailchimp subscription. There's been a thing called a distribution list for ages, that allows a mail server to send an individual email to each person on the list.

    1. Woodnag

      Citation for this?

      "Mailchimp... is not fully lawful in the EEA and UK".

  4. chivo243 Silver badge

    That's a paddlin'

    I'm not sure if this falls under a data breach, but a blunder like this would surely get an hour in front of our Data Protection Officer's hair dryer (yes, it's a real position, thanks GDPR!)

    1. Grease Monkey Silver badge

      Re: That's a paddlin'

      Yes it is a data breach and the council should have reported it to the ICO as such.

  5. Potemkine! Silver badge

    Best way to sort it out: reply to all, Hi all, "have you the same problem?"

    Just for the fun of it ^^

    1. Anonymous Coward
      Anonymous Coward

      Re: Best way to sort it out: reply to all, Hi all, "have you the same problem?"

      Followed quickly by

      Stop emailing me about this. Reply to all.

      Ah, sweet memories

  6. Grease Monkey Silver badge

    I had the misfortune to work in local government until about ten years ago. Even way back before I left we were using tools to send out an individual email when bulk mailing residents. Basically it was the same in house tool as we'd always used to generate snail mail, but mangled to work with email instead of a print run.

    Sure it put more load on the mail servers than just sticking a few hundred recipients in the BCC field of a single email, but it didn't have as much opportunity for security cock ups (cocks up?). And it allowed for customised mailing. So you could have the recipient's name in each email "Dear Mr Smith" instead of some generic "Dear Householder" nonsense.

  7. Throatwarbler Mangrove Silver badge

    Bark, bark!

    I wonder if there were any reports of sea lion activity?

  8. Dr Gerard Bulger

    A developer made such a blunder listing all the addresses of its new buyers in the completed blocks. That should have been that

    Anyone using any email address provided may be in breach of GPDR, but not necessarily in private person to person emails. Anyway, mysteriously but unsurprisingly a residents and owners support group popped up a few days later. Apologies from the developer accepted with thanks

  9. ThatOne Silver badge


    > measures have been taken to avoid such an occurrence in the future

    Thanks for nothing, the damage is already done. If I run you over with my car, will you be satisfied if I say I'll make an effort not to do it again?

    That's why I never ever give anybody my real email, even if they whine they absolutely need it to sell me a hot dog...

    1. Anonymous Coward

      Re: Idiots

      It seems to work for Tesla's 'Autopilot'.

  10. Tron Silver badge

    And it won't be the last time.

    I've had a few e-mails like that and the majority have been local authorities.

    They really need to up their HR bar. The ability to stand around for hours on your phone staring at a hole in the ground, doing nothing, important though it is, is just not enough of a skill set.

    1. Phil O'Sophical Silver badge

      Re: And it won't be the last time.

      The problem isn't so much the HR bar, it's the fact that this sort of screw-up is considered so unimportant that the people who do it get a "oops, please don't do it again" as their only punishment.

      At the very least it should be called out in their anual review, with an "unsatisfactory" rating & the consequential salary/bonus/promotion hit that would go with it. They should also be sent on compulsory IT security training (and they should all have had some basic training anyway).

      Companies need to be made to realise that this is just as important as H&S training, and that such carelessness can have equally serious effects on other people's lives.

      1. hoola Silver badge

        Re: And it won't be the last time.

        Also there is a tendency for these things to be reported when public sector is to blame and somehow become buried with it is corporate. Occasionally private sector balls-ups appear but not with the same frequency.

        I simply don't believe that public sector are the only people susceptible to this sort of snafu.

        Also in public sector, particularly councils for the average employee there are no bonuses, there will be mandator training, reams of the stuff and a lot of it is total shite but you have to click through it to get the PDF certificate at the end to go on file. There is so much pointless training that it becomes self defeating. Currently where I work we have a similar thing with a shopping list of compulsory training, some has to be repeated annually, some every 2 years or 3 years, some never again. The name of the game is to just get it done so that management can put a tick in a box.

  11. Anonymous Coward
    Anonymous Coward

    Simple solution

    The only email apps accessible to office worker drones should have the CC field disabled by default.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      And the To: field should be restricted to perhaps 5 names, or one alias.

  12. T 7

    I work in the NHS. CC email to over 800 people including multiple external donains. DPO told me is was fine as everybody on the list had consented. I had not.

    I reported it to IT. Using an internal email address. Unbeknownst to me that address belonged to a contractor. I was then accused of causing the data breach myself. By divulging my concerns to IT support.

    I gave up at that point abd realised as above, that nobody gives a care

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like