Anti-fraud nonprofit Cifas was left red-faced after sending out a calendar invite that exposed the email addresses of dozens of individuals working across the fraud space.
The invite was sent in August to a session scheduled for October 16 about the organization’s JustMe app, which allows individuals to confirm if applications made in their name are genuine.
Over a dozen addresses were exposed in the To field, with another 45 in the CC field, according to the message, a copy of which was seen by The Register.
These appeared to include individuals working at security vendors and management consultancies as well as publishing firms. Invitees from the public sector, including national government, also had their email addresses displayed.
The slogan used by Cifas is: “We protect your organisation from fraud and financial crime”.
The Information Commissioner’s Office (ICO) considers an email address to be personal data, so best practice is to not put email addresses in the CC field for bulk emails. But using BCC can still leave addressees – and senders – exposed.
A spokesperson at the ICO told The Register it had not received a breach report on the Cifas mishap. “Organizations must always notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
“If an organization decides that a breach doesn’t need to be reported they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
In 2023, Mihaela Jembei, Director of Regulatory Cyber at the ICO, said: “Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.”
So for bulk mail, the regulator advises the use of bulk email services, mail merge, or secure data transfer services.
The ICO says: “Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them.”
It adds that organizations should ensure that staff are trained on security measures when sending bulk communications by email.
The Register asked Cifas and the ICO to comment, but they had not responded at the time of publication. ®