Security

That ‘BCC’ email field can save you from data leaks

This month multiple stories have emerged of companies exposing their member email addresses to each other.

This typically happens due to human-induced error, when a person erroneously sends an email to multiple recipients using “Reply-All”, “To” or “CC” fields of the email client, as opposed to using the discreet “BCC” field.

First, The Register reported how Substack sent out a mass email announcing their privacy policy updates to its members. But the misstep Substack made was not using the BCC option.

This enabled email recipients to see everyone’s email addresses, as many as 500, to whom this email had been sent.

Now, Shropshire Star, the council’s local newspaper reports that Shropshire Council made the same mistake revealing some 250 email addresses to their newsletter recipients.

As the newspaper reported, the Council then sent out a follow up email apology detailing what had happened:

 “The outcome of the investigation was that a group email address was used on July 23 to send an email to a number of individuals including yourself. However, instead of the ‘BCC’ field being used, the ‘to’ field was used in error, meaning that email addresses were made visible to all other email recipients.”

“The investigation identified that there was no personal data in the content of the email itself, but that personal email addresses had been inadvertently shared with other recipients. As a result of the concerns and the incident, we followed our internal procedure when such incidents occur and we took immediate actions to ensure any risk was mitigated as much and as far as possible.”

BCC is privacy-centric

The perk offered by BCC is that the recipients of a mass email cannot see each others’ email addresses.

In this day and age when data leaks and breaches are on the rise, and privacy legislation is getting more and more intense, human element remains the weakest link compromising the overall system security.

Adopting a simple habit of using “BCC” in your outgoing emails can prevent mishaps like these from happening. It may take out the “Reply All” ability for the recipients, but there are solutions to this.

How about sending an email from a specially-commissioned newsletter email address replying to which copies every recipient, but putting the actual “recipient” email address in the BCC field.

Alternatively, say the email address that sends out newsletters is “newsletter@your-company(.)com”. Your IT administrator can setup the system in such a way, so that any email sent to this email gets forwarded to all your newsletter members.

Therefore, you wouldn’t even need to individually BCC every member. An email from “newsletter@your-company(.)com” sent out to “newsletter@your-company(.)com” can usually do the trick.

Adopting privacy-focused email management best practices and systems in critical in today’s world where businesses and the public are doubling up on security awareness.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.