Security

That ‘BCC’ email field can save you from data leaks

This month multiple stories have emerged of companies exposing their member email addresses to each other.

This typically happens due to human-induced error, when a person erroneously sends an email to multiple recipients using “Reply-All”, “To” or “CC” fields of the email client, as opposed to using the discreet “BCC” field.

First, The Register reported how Substack sent out a mass email announcing their privacy policy updates to its members. But the misstep Substack made was not using the BCC option.

This enabled email recipients to see everyone’s email addresses, as many as 500, to whom this email had been sent.

Now, Shropshire Star, the council’s local newspaper reports that Shropshire Council made the same mistake revealing some 250 email addresses to their newsletter recipients.

As the newspaper reported, the Council then sent out a follow up email apology detailing what had happened:

 “The outcome of the investigation was that a group email address was used on July 23 to send an email to a number of individuals including yourself. However, instead of the ‘BCC’ field being used, the ‘to’ field was used in error, meaning that email addresses were made visible to all other email recipients.”

“The investigation identified that there was no personal data in the content of the email itself, but that personal email addresses had been inadvertently shared with other recipients. As a result of the concerns and the incident, we followed our internal procedure when such incidents occur and we took immediate actions to ensure any risk was mitigated as much and as far as possible.”

BCC is privacy-centric

The perk offered by BCC is that the recipients of a mass email cannot see each others’ email addresses.

In this day and age when data leaks and breaches are on the rise, and privacy legislation is getting more and more intense, human element remains the weakest link compromising the overall system security.

Adopting a simple habit of using “BCC” in your outgoing emails can prevent mishaps like these from happening. It may take out the “Reply All” ability for the recipients, but there are solutions to this.

How about sending an email from a specially-commissioned newsletter email address replying to which copies every recipient, but putting the actual “recipient” email address in the BCC field.

Alternatively, say the email address that sends out newsletters is “newsletter@your-company(.)com”. Your IT administrator can setup the system in such a way, so that any email sent to this email gets forwarded to all your newsletter members.

Therefore, you wouldn’t even need to individually BCC every member. An email from “newsletter@your-company(.)com” sent out to “newsletter@your-company(.)com” can usually do the trick.

Adopting privacy-focused email management best practices and systems in critical in today’s world where businesses and the public are doubling up on security awareness.

Ax Sharma

Ax Sharma is a UK-based security researcher, journalist and TV subject matter expert experienced in malware analysis and cybercrime investigations. His areas of interest include open source software security and threat intel analysis. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

4 hours ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

2 days ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

2 days ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

5 days ago

World’s Largest Supply Chain Cyber Attack… And just 5 Cents Stolen?

You probably saw the headlines: the world’s largest npm supply chain attack, chalk and debug-js…

1 week ago

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

2 years ago

This website uses cookies.