"Anti-fraud nonprofit Cifas was left red-faced after sending out a calendar invite that exposed the email addresses of dozens of individuals working across the fraud space. The invite was sent in August to a session scheduled for October 16 about the organization's JustMe app, which allows individuals to confirm if applications made in their name are genuine. Over a dozen addresses were exposed in the To field, with another 45 in the CC field, according to the message."
"The Information Commissioner's Office (ICO) considers an email address to be personal data, so best practice is to not put email addresses in the CC field for bulk emails. But using BCC can still leave addressees - and senders - exposed. A spokesperson at the ICO told The Register it had not received a breach report on the Cifas mishap."
"In 2023, Mihaela Jembei, Director of Regulatory Cyber at the ICO, said: "Failure to use BCC correctly in emails is one of the top data breaches reported to us every year - and these breaches can cause real harm, especially where sensitive personal information is involved." So for bulk mail, the regulator advises the use of bulk email services, mail merge, or secure data transfer services."
Cifas sent an August calendar invite for an October session that revealed the email addresses of dozens of professionals across private and public sectors. The invite concerned the JustMe app, which helps people verify applications made in their name. Over a dozen addresses appeared in the To field and about 45 appeared in CC. The Information Commissioner's Office classifies email addresses as personal data and warns against placing addresses in CC for bulk mail; BCC errors remain a common cause of breaches. The ICO advises using bulk email services, mail merge, or secure data transfer and requires breach reporting within 72 hours when risks to rights and freedoms exist.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]