Sign in / up

back to article Anti-fraud body leaks dozens of email addresses in invite mishap

Anti-fraud nonprofit Cifas was left red-faced after sending out a calendar invite that exposed the email addresses of dozens of individuals working across the fraud space. The invite was sent in August to a session scheduled for October 16 about the organization's JustMe app, which allows individuals to confirm if applications …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Equality 7-2521

    Microsoft Teams doesn't help

    Experian sent me an invitation to an in-person "Data Governance Breakfast Briefing" in November 2024. There were 27 other email addresses exposed (some interesting attendees in fact). Experian didn't respond to my concerns, didn't apologise and I didn't attend. Two attendees did however contact me - both wondering why I didn't attend - and both in the Data Protection profession.

    When I investigated further, I discovered the invitation was generated in Microsoft Teams via Outlook, which didn't allow attendees to be placed in a BCC context or hidden from each other. That apparantly was only possible from the web based Teams portal.

    Just checking and this still seems to be an issue today - unless you then switch the "Teams meeting" option off after creating the event, which reveals an option to "Hide attendee list", and then you send. What a Microsoft mess.

    19 0 Reply
  2. tiggity Silver badge

    Sigh

    Happens so tediously frequently.

    Just put things in place, it's not difficult.

    I'm involved in a few societies & have to send out regular emails to "mailing lists"

    I have no hassles with to or cc (or even bcc) data leaks as it sends an individual email to each person on the "list" (obviously only drawback is this is slower)

    Although this was a bit of email software I threw together myself (it has other features as, to avoid errors on my part, each mailing list has one of my email addresses associated & a list of associated directories and I can only add attachments to those mailing lists from those directories - to avoid files for one society going to members of another & each society has a society specific contact email for me - obviously relies on me putting files in correct folder! ) it was not exactly a difficult thing to throw together*

    * About the only changes it has needed have been tweaks for OAuth support when Gmail killed basic auth (I use "society specific" Gmail contact email addresses as in emergency, other members of committee for relevant society can login to appropriate Gmail if I am away / ill / hit by a bus etc. as ensure chair & 1 other senior member of each society committee has creds to use the Gmail account if needed)

    3 1 Reply
    1. ecofeco Silver badge
      Reply Icon
      FAIL

      Re: Sigh

      Happens so tediously frequently.

      Having walked the halls of power of many companies, I do not blame the nepo-fail-baby-trustafarians out of laziness and edginess.

      They ARE the ones at the top, making spectacular failures of which you almost never hear about. What you DO hear about is just the tip of the iceberg.

      1 0 Reply
    2. pc-fluesterer.info
      Reply Icon

      Gmail -- spot the error

      move on, nothing to see here!

      0 0 Reply
  3. Lazlo Woodbine Silver badge

    Ever heard of BCC?

    I was a member of a large national campaigning group, we hand about 500 local branches, each branch had a chair and a data protection officer.

    One day I got an email marked urgent, the email was about a similar org that had had a data leak, so it was reminding us of the importance of keeping personal data secure.

    Naturally, the email was sent to our personal email address, not our organisation address, and everybody was in the To: field, exposing the personal email address of every single chair and data protection officer.

    I used the reply all feature to tender my resignation...

    13 0 Reply
  4. Tron Silver badge

    The ICO considers an email address to be personal data.

    Oh, does it really? Then maybe it could have a word with all those couriers who plaster mine on the front of letters and parcels.

    The BCC errors are most commonly committed by local councils in the UK, as they traditionally have the highest staff numpty counts.

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: The ICO considers an email address to be personal data.

      "Then maybe it could have a word with all those couriers who plaster mine on the front of letters and parcels."

      I seem to remember maybe 7-10 years ago the ICO *did* fine a takeaway food (pizza?) chain for providing their delivery drivers with customers phone numbers - basically the ICO said that it was (obviously) valid for delivery drivers to have address details but not (by default) to have customer telephone numbers and, for situations where the delivery driver specifically *did* need to talk to the customer (i.e. they couldn't find the address) that the takeaway chain had to instead provide an IVR-type system for the delivery driver to phone to be put through to the customer rather than be provided with their phone number.

      Here's a related issue: https://www.theguardian.com/uk-news/2018/jan/16/just-eat-driver-sent-unwanted-messages-to-female-customer

      1 0 Reply

    2. This post has been deleted by its author

  5. Insert sadsack pun here

    Possibly unpopular opinion

    Meh - this is a total non story. There is no real risk of loss or negative impact to know that antifraud people were attending an antifraud meeting.

    0 7 Reply
    1. Jonathan Richards 1
      Reply Icon

      Re: Possibly unpopular opinion

      Read the downvote total, friend. I think your opinion is unpopular. And wrong. Do you not think that a list of anti-fraud people's email addresses would be valuable to, oh, I dunno, some spear-phishing crew?

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like