Anti-fraud nonprofit Cifas accidentally exposed dozens of email addresses by using CC instead of BCC when sending calendar invites for an October event. The breach included addresses from security vendors, consultancies, and government officials. The UK's Information Commissioner's Office considers email addresses personal data under GDPR and recommends using BCC, mail merge, or bulk email services for mass communications. Organizations must report data breaches within 72 hours unless they pose no risk to individuals' rights and freedoms. Email CC/BCC misuse remains one of the top reported data breaches annually.
Sort: