Data breaches – the problem with email

Jargon Buster

Despite fears about cybercrime, email errors are one of the biggest causes of data breaches. In fact, the latest figures[1] from the ICO reveal that misdirected email (392 reports) is a more significant issue than phishing (215 reports) and ransomware (141 reports).

Email data breaches can come in many forms. Two of the most common examples are:

  • Sending data to the wrong recipient
  • Not using the BCC function when sending a mass email.

For example, in September 2019, a London gender identity clinic exposed the details of almost 2,000 people after an employee cc’d recipients instead of bcc’ing them. The Charing Cross Gender Identity Clinic data breach could have outed someone as they treat people who are transgender.

In another data breach, an independent inquiry into child sexual abuse caused harm to victims when an email was sent to those involved in the review without using the bcc function. Because the recipients could see each other’s emails, they could potentially identify each other as possible victims of child sexual abuse.

Can you protect yourself?

Of course, there is little people can do to avoid these types of situations. If an organisation does not have adequate email processes in place, or does not train staff on data security, you could find yourself the victim of a data breach. In such instances, often the only form of redress is to claim data breach compensation.

But, according to a BBC report, some people are unwittingly “handing over the keys to their digital life”. BBC journalists were able to see details of a stranger’s credit report after an individual entered the wrong email address when signing up to the online credit scoring site ClearScore. In this case, a person signed up to the credit service, but entered a slightly incorrect email address when doing so. This email address then doubled as the account username. When an email was sent from the credit service to confirm the account, it was sent to someone whose email address was almost the same as theirs. This stranger could get into the account and even change the password. One small mistake let the wrong person see a huge range of personal information, including the date of birth and previous addresses of the actual account holder, as well as information about their credit applications.

Most of us hand over our email address in return for services. And we do so willingly. But our email address provides a way into our digital life. Just one incorrect letter or a dot in the wrong place could mean that our personal and sensitive information falls into the wrong hands.

In most cases, if someone with a name like yours gets access to a service you signed up for, they are likely to ignore it (perhaps thinking it might be spam). But are you willing to take that risk? The information accessed following an email sign up mistake could be extremely valuable to cybercriminals. For example, they could use it to apply for loans and other credit in your name.

Organisations must find ways to check their customers are who they say they are when signing up (e.g. two-factor authentication, making people enter their email address twice with no cut and paste option, etc.). In addition, to keep yourself safe online, you must do everything possible to protect yourself from fraud and become more vigilant when signing up online.

Contact Keller Postman UK’s expert data breach lawyers to discuss a data breach claim.

[1] Quarter 3, Financial Year 2020/21

In March 2024, our firm changed its name to KP Law. 

Share this article: