Cifas, an anti-fraud nonprofit organization, faced significant embarrassment after a calendar invite inadvertently disclosed the email addresses of numerous individuals involved in fraud prevention. This incident occurred in August when the organization sent out invitations for a session scheduled on October 16 regarding its JustMe app, which enables users to verify the authenticity of applications made in their name.
The calendar invite included over a dozen email addresses in the “To” field and an additional 45 in the “CC” field. Recipients included personnel from security firms, management consultancies, publishing companies, and public sector representatives, including individuals from national government agencies. Cifas promotes itself with the slogan, “We protect your organisation from fraud and financial crime.”
According to the Information Commissioner”s Office (ICO), email addresses are classified as personal data. Best practices advise against including such addresses in the CC field for mass communications. Although using BCC can mitigate risk, it may still leave both recipients and senders vulnerable to exposure. A representative from the ICO informed The Register that they had not yet received a report regarding the breach.
Organizations are required to notify the ICO within 72 hours of becoming aware of any personal data breach unless the breach is deemed to pose no risk to individuals” rights and freedoms. If a breach is not reported, organizations should maintain a record and be prepared to justify their decision if necessary.
In a statement earlier this year, Mihaela Jembei, Director of Regulatory Cyber at the ICO, highlighted that improper use of BCC in emails consistently ranks among the most reported data breaches. Such breaches can lead to significant harm, particularly when sensitive personal information is involved. The ICO recommends utilizing bulk email services, mail merges, or secure data transfer services for large email distributions.
Even when email content is not sensitive, revealing the recipients can unintentionally disclose confidential or sensitive information about individuals. The ICO emphasizes the importance of training staff on security protocols when sending mass emails.
At the time of publication, both Cifas and the ICO had not responded to inquiries regarding the incident.
