back to article NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to 'Let's talk cyber' event

NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages. The first email sent yesterday morning thanked participants for "registering for NHS Digital's Full …

  1. Pascal Monett Silver badge
    FAIL

    "As soon as we became aware of concerns"

    Apparently, your awareness required four successive blunders.

    You're going to have to do a lot better to make us believe your PR bullcrap.

    1. ClockworkOwl
      Stop

      Re: "As soon as we became aware of concerns"

      Sounds like:

      "Sorry, but we didn't can't be expected to realise just how incompetent we are!"

  2. Will Godfrey Silver badge
    Facepalm

    A practice run

    ... for when they've got everyone's medical info :(

    1. JassMan

      Re: A practice run

      Yep. A perfect response to to the govs failed plans to snaffle everyone health data.

      If they can't even send a private email, how can we trust them with our data. Even if they have a thousand rules about what can, and cannot be, done with private data, it only takes one idiot in an organisation and all plans are out the window. In this can there are lots of idiots and many are in government.

      1. ClockworkOwl

        Re: A practice run

        Unfortunately, if you reward idiots, evolution will give you a plethora...

  3. John Robson Silver badge

    "deleting the original invitation"

    Erm...

    Do they not know that once sent an email isn't theirs to delete?

    1. Timbo

      Re: "deleting the original invitation"

      "...and deleting the original invitation."

      One assumes the spokesperson thinks that EVERYONE uses MS Exchange, where emails can be deleted (or recalled) by the sender.

      But one would think that not everyone uses MSX so then the sender has no control, as you say.

      1. Kientha

        Re: "deleting the original invitation"

        Even then, unless something has changed in the past couple years you can only actually recall an email that goes to the same domain as you are in. Otherwise you just get another email saying they want to recall the email

        1. Gavin Jamie

          Re: "deleting the original invitation"

          That tends to be the most effective way to get me to read it.

        2. Twanky
          Facepalm

          Re: "deleting the original invitation"

          IIRC, by design, MSX message recall won't work if any one of the recipients has read the message. As MSX can't know whether off-domain recipients have read a message or not then recall never works when there are off-domain recipients. As someone else indicated, I can't think of a better way of drawing attention to a cock-up than attempting an MSX message recall.

      2. Doctor Syntax Silver badge

        Re: "deleting the original invitation"

        And once it's been read it's a bit late to recall it. In fact, reading the response together with the account it's possible that by "delete" they meant the un-BCCed email to cancel.

        1. Neil Barnes Silver badge

          Re: "deleting the original invitation"

          Once again: why does *any* email system used in a commercial or confidential context even *have* a CC option? BCC should be the default, with CC an option only available up to say half a dozen addressees.

          1. MatthewSt

            Re: "deleting the original invitation"

            How else are you going to passive-aggressively drop your coworkers in it with their manager?

          2. John Robson Silver badge

            Re: "deleting the original invitation"

            Meh - for some conversations CC is the correct thing to do, but that list should never exceed some small number without checking with the user first...

      3. steviebuk Silver badge

        Re: "deleting the original invitation"

        And recall rarely works. If you've already read it the recall is too late. If you have preview pain on you can read it before it is recalled.

        1. Twanky
          Pint

          Re: "deleting the original invitation"

          Preview pain!

          I love it!

          1. steviebuk Silver badge

            Re: "deleting the original invitation"

            Gonna claim I did that on purpose.

  4. adam payne

    "We seek to continually improve our processes and will ensure we provide delegates with an alternative means of attending our events in future."

    Does that alternative mean spending tax payers money to create a new system? instead of just using BCC.

    1. elsergiovolador Silver badge

      Contracts are probably being written right now, ripe for usual suspects to hop on.

    2. Mike 137 Silver badge

      Alternative means

      They probably mean to use Eventbrite, so the latter can abuse invitees' email addressess instead for electronic direct marketing (and profile them as well).

  5. Aristotles slow and dimwitted horse

    Lol

    Stories like these always remind me of the one in El Reg from a number of years ago of the poor girl who accidentally replied to everyone in her office via an instant message as to how much she'd enjoyed giving one of her colleagues (in the same office) - a blowjob.

    1. Yet Another Anonymous coward Silver badge

      Re: Lol

      So that's why it's called BCC

    2. Anonymous Coward
      Anonymous Coward

      Re: Blow by Blow Account

      Id forgotten this story - life sucks at times.

    3. JassMan

      Re: Lol

      Reminds me of the time, a rather evangelical secretary kept sending everyone she had on her mailing list, stories about the good news of getting to know Jesus. One day she received a mail from GOD who reminded her that everyone was entitled to their own beliefs and suggested the office would be more productive if people only received work related mails on the office system. The shock of it all kept her off work for a week and a public reprimand (all be it with a followup private beer from the boss) of the spoofer so she could see the there were no gods involved the sending of emails.

      1. Yet Another Anonymous coward Silver badge

        Re: Lol

        >no gods involved the sending of emails.

        Although sendmail config is believed to be the work of Cthullu

        1. Eclectic Man Silver badge
          Joke

          Re: Lol

          What about the daemons?

          They work really hard, you know.

          1. Boothy

            Re: Lol

            I'm not too sure about that, the daemons we have around here just seem to sit around in the background, barely doing anything most of the time, with just sporadic signs of activity!

        2. navidier

          Re: Lol

          >>no gods involved the sending of emails.

          >Although sendmail config is believed to be the work of Cthullu

          Having spent the better part of the day trying to get sendmail forwarding working on a Centos7 upgrade, I think I share that belief.

          Now I'm stuck trying to get ntpd to behave.

    4. steviebuk Silver badge

      Re: Lol

      Having problems finding this story. Anyone got a link?

  6. alain williams Silver badge

    Lessons will be learned!

    And then promptly forgotten.

    1. Doctor Syntax Silver badge

      Re: Lessons will be learned!

      And then promptly already forgotten.

  7. sabroni Silver badge
    Facepalm

    We take our responsibility to safeguard personal data extremely seriously

    Yeah, I bet you do. I expect you have the full confidence of the Prime Minister too. That's another phrase that means precisely fuck all.

    1. Yet Another Anonymous coward Silver badge

      Re: We take our responsibility to safeguard personal data extremely seriously

      >That's another phrase that means precisely fuck all.

      It means you're going to be fired within a week

      1. Eclectic Man Silver badge
        Meh

        Re: We take our responsibility to safeguard personal data extremely seriously

        "It means you're going to be fired within a week"

        Or that you have too much support in The Party to be got rid of just yet, or that the PM's waiting for an opportune moment to throw you under the bus to save him/her self. (See, e.g., Gavin Williamson, Chris Grayling etc.)

    2. Potemkine! Silver badge

      Re: We take our responsibility to safeguard personal data extremely seriously

      Trust us. Give us all of your health data. Because we take our responsibility to safeguard personal data extremely seriously you know.

  8. wolfetone Silver badge

    Style it out

    "So thank you for all attending this conference, and I'm going to start by asking you a simple question - did you see how we sent your invitation email? Well that's rule number 1, don't do that"

  9. Chris G

    Considering the subject matter of the meeting, one wonders what the employment criteria are for applicants wanting to work at NHS Digital.

    Recognising a lap top two out of three times?

    I bet they think IT hygeine is dipping a pc into a bucket of Dettol.

  10. Warm Braw

    Let's talk cyber

    Fatima's next job could be in Tesco's

    (as she is currently being informed by HR)

  11. chivo243 Silver badge
    Pint

    Really, how?

    Shouldn't there be a limit on how many recipients can be added to the To: field? Better yet, if mass mailing is to be done, do it with a system that only allows the BCCs! Is this a thing? If not, and you develop it, remember you heard it here first!! I'll just have a few of these for compensation!

    1. Pascal Monett Silver badge
      Terminator

      Yeah but the problem is always the same : as soon as you define rules to automate mailing, some idiot is going to feel that his case is special and he'll go out of his way to work around the rules and send it the way he wants.

      You cannot automate against stupidity, stupidity will win every time. You need to educate stupidity.

      With a cattle prod, if necessary.

      Icon because integrated battery charge.

      1. chivo243 Silver badge
        Pint

        I agree totally, but due to DGRP we have an "officer" to handle issues like this, oh and they like the word NO! Until I can investigate! Great colleague to have! We're generally on the same page ;-}

        An info breach is like blood in the water for my colleague, lunch is served!

        1. Eclectic Man Silver badge
          Unhappy

          I remember getting work emails CC'ed to up to a hundred co-workers. The text was about 200 characters, the list of CC'ed co workers often took the size of the message to several kB. And this after we had been asked to reduce our file storage needs to save money.

          I think I may have suggested sending department emails BCC to reduce filestore overflow, but I'm not sure anyone listened.

  12. Philip Stott
    Facepalm

    D'Oh!

    The most bum-clenchingly awful reply all mistake I've seen happened after the whole company received an email from operations reminding us of the new password policy - 12 characters, mixed case, special chars, etc., and NEVER write them down or share them.

    This poor guy (let's call him Gary) meant to forward the following to his mate, but instead replied all: "How the hell do we remember these without writing them down".

    This was swiftly followed by the email - Gary would like to recall ...

    Which was followed about half an hour later by an email from HR, saying Gary no longer works for Enron (sorry), and has left the building.

    Ouch!

  13. scrubber

    "...unless it does not pose a risk to people's rights and freedoms"

    Just as well we no longer have any rights or freedoms then.

  14. Anonymous Coward
    Anonymous Coward

    It's like rai-iiiiiin on your wedding day

    Except CC-ing to all about a cyber conference actually IS ironic.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's like rai-iiiiiin on your wedding day

      Dontcha think

  15. Anonymous Coward
    Anonymous Coward

    Don't worry the ICO will do...

    Absolutely nothing as they don't understand how to safely send e-mails either.

    I had a case last year involving a company our council outsourced some services to, they cc-d everyone who had taken the service in the city and then when realising e-mailed everyone again to ask they delete the e-mail. In this case you could have correlated some of the names in e-mail addresses to other public info and worked out the actual people. They then sent me a follow-up to the issue to me addressed to another customer!

    DPO at the company didn't think they had done anything really wrong and told me to raise with the ICO if I disagreed. So I did, the ICO did agree there was an issue and made them make a number of changes and apologise for the error, however this was the classic bit from the ICO

    "****** also explained that they consulted with their French head office and Google to see if any further technical measures could be introduced to reduce the likelihood of similar disclosures. However, no extra measures were deemed feasible as it was determined that no measures could realistically prevent human error, as in this case" - So the ICO accepted that nothing could be done to prevent this type of issue?!

    In all the companies I have worked for e-mails to customers are not sent by individuals on an e-mail platform, you can't even get to the customers e-mail addresses to do that. Messages to customers are sent via a CRM or similar both for individual and wider e-mails which ensures issues like this don't occur, seems the ICO have not heard of this approach! Remove the human being able to send these Mr ICO?

    Should I mention the ICO merged bits of data from the breach to demonstrate an individual could be identified (not myself) in the response to my complaint sent in a normal e-mail?

    1. elwe

      Re: Don't worry the ICO will do...

      Also further technical measures are very easily implemented. Just route outbound mail through a mail server that builds up a view of normal traffic and holds any abnormal mail while it sends a message to the sender to double check they really did want to send it. The sender then releases with a simple reply.

      Since my last few employers have had this in place, I assumed everyone did these days. But I guess it is just those with a clue and a care.

  16. Richard Cranium

    standard legalese footers are the solution of course...

    ...not.

    This email and any attached files are strictly confidential and intended solely for the use of the individual(s) to whom they are addressed. If you are not a named addressee you should not disseminate, share, distribute or copy this e-mail. If you have received this e-mail by mistake please notify the sender immediately and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

    That should fix it!

    On a slightly more positive note: when I press send on a Gmail that contains wording indicative of an attachment, Gmail alerts me "It seems like you have forgotten to attach a file...".

    It would be good if there were a similar alert for any email with a cc: Something like - "are you sure you want all recipients to see the email addresses of all other addressees?"

    This would be great for those occasions where I intentionally cc: all 30 members of a club so they all know who is seeing it and can *when appropriate* use reply all but then a few choose to "reply all" with some mundane observation or intended just for me.

    Even adding a standard footer "Please don't annoy everyone by using 'reply all'." didn't work. When I started sending those who persisted a sarcastic comment most but not all got the message...

    Might not be worth considering for a bcc: alert too - "Are you sure you need all recipients to receive this information".

    Completely unnecessary if everyone knew how email works but that knowledge is seemingly limited to readers of The Register and a handful of others.

  17. Jim Whitaker
    FAIL

    External data transfers anyone?

    This is the body which is supposedly going to govern the safe and approved transfer of data to external bodies. Sheesh.

  18. Anonymous Coward
    Anonymous Coward

    A traffic jam when you're already late

    A no-smoking sign on your cigarette break

    Inviting ten thousand people to a security event

    And sending the meeting to everyone on CC

    And isn't it ironic... Don't you think

    A little too ironic... And, yeah, I really do think...

  19. Pantagoon

    Surely it can't be too difficult to come up with an email client that only has a bcc field to fill in.

  20. Barrie Shepherd

    And these are the muppets that we are supposed to trust with our most private health records LOL

  21. Anonymous Coward
    Anonymous Coward

    Dear NHS Digital

    Will that be one digit or two? I send emails once a month to far too many people who generally delete without reading (I don't mind, I still get paid). Granted, the BCC button in Outfsck is not visible in a default installation, but anyone tasked with sending mass emails even internally to an entity should know of it's existence and ask for it if they don't know how to manifest it.

    Oh yes, and if Outfsck 365 is chatty enough in other time-wastingsaving ways, you'd think there'd be a friendly warning before sending to the world and it's partner.

    Anon because. Just because.

  22. Throgmorton Horatio III
    FAIL

    This is practically routine

    Some years ago I did training at PHE Porton to be part of the team that tested samples for ebola in Africa. I received emails from PHE with attached spreadsheets containing detailed personal information (IIRC name, address, telephone number, possibly age - it was a while back). This was shortly followed by an instruction to delete the information because it was a mistake. They then sent out followup emails at least twice more containing the same information again.

    One can but shrug.

  23. 0laf
    FAIL

    But why?

    Ok they cocked up like pretty much every business does every other day. But why is it so hard to set BCC as a default option?

    Yeah it's possible but it's not simple.

    why no easy end user option to "send as BCC unless"?

  24. Anonymous Coward
    Anonymous Coward

    Read the headline as ...

    ..."NHS Digital exposes hundreds of email addresses after BBC blunder"

    And thought the resulting paroxysms from the Daily Mailists and Gammonati might wipe out most of Little England.

  25. Mike 137 Silver badge

    Hundreds of addresses?

    Sending a CC (or even a BCC) email to hundreds of addresses? I very much doubt that someone selected that number of recipients by hand and eye from the address book. If they did, it must have taken some effort. So this could more likely have been driven by some kind of automation, in which case have they never heard of server side distribution lists? Very few organisations I've worked with seem to have heard of them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hundreds of addresses?

      You would be surprised at what you can do with Outlook. @mention looking at you.

  26. Roland6 Silver badge

    But why were they using email in the first place?

    I thought everyone these days used some cloud-based "event booking and attendee communication as a service" offering, so the event organiser gets nowhere near an actual email client..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like