That ‘BCC’ email field can save you from data leaks

This month multiple stories have emerged of companies exposing their member email addresses to each other.

This typically happens due to human-induced error, when a person erroneously sends an email to multiple recipients using “Reply-All”, “To” or “CC” fields of the email client, as opposed to using the discreet “BCC” field.

First, The Register reported how Substack sent out a mass email announcing their privacy policy updates to its members. But the misstep Substack made was not using the BCC option.

This enabled email recipients to see everyone’s email addresses, as many as 500, to whom this email had been sent.

Now, Shropshire Star, the council’s local newspaper reports that Shropshire Council made the same mistake revealing some 250 email addresses to their newsletter recipients.

As the newspaper reported, the Council then sent out a follow up email apology detailing what had happened:

 “The outcome of the investigation was that a group email address was used on July 23 to send an email to a number of individuals including yourself. However, instead of the ‘BCC’ field being used, the ‘to’ field was used in error, meaning that email addresses were made visible to all other email recipients.”

“The investigation identified that there was no personal data in the content of the email itself, but that personal email addresses had been inadvertently shared with other recipients. As a result of the concerns and the incident, we followed our internal procedure when such incidents occur and we took immediate actions to ensure any risk was mitigated as much and as far as possible.”

BCC is privacy-centric

The perk offered by BCC is that the recipients of a mass email cannot see each others’ email addresses.

In this day and age when data leaks and breaches are on the rise, and privacy legislation is getting more and more intense, human element remains the weakest link compromising the overall system security.

Adopting a simple habit of using “BCC” in your outgoing emails can prevent mishaps like these from happening. It may take out the “Reply All” ability for the recipients, but there are solutions to this.

How about sending an email from a specially-commissioned newsletter email address replying to which copies every recipient, but putting the actual “recipient” email address in the BCC field.

Alternatively, say the email address that sends out newsletters is “newsletter@your-company(.)com”. Your IT administrator can setup the system in such a way, so that any email sent to this email gets forwarded to all your newsletter members.

Therefore, you wouldn’t even need to individually BCC every member. An email from “newsletter@your-company(.)com” sent out to “newsletter@your-company(.)com” can usually do the trick.

Adopting privacy-focused email management best practices and systems in critical in today’s world where businesses and the public are doubling up on security awareness.