Hamilton employee mistakenly sends email blast with all names and addresses visible

The carbon-based units are again responsible for a huge breach of security controls at an organization.

This time it was an employee of the City of Hamilton, who hit an email ‘send’ button too fast on a message to 450 residents who had registered to vote by mail in the upcoming municipal election.

Unfortunately, the employee didn’t use the ‘blind carbon copy’ (bcc) function. Instead, the list of recipients went into the ‘To’ field, so all recipients could see everyone’s name and email address.

According to the Hamilton Spectator, one person who received the blast complained to the city as well as to the provincial information and privacy commissioner.

In response the city sent out a statement saying it regrets the error and any distress that this incident may cause those who have used the Vote by Mail process.

“Multiple email addresses were inadvertently entered in the to: line of the email instead of the bcc: line, exposing email addresses to all recipients of the email message. Immediate steps were taken to recall the message and to notify all affected individuals.

“The City of Hamilton takes the responsibility of protecting the security of individuals and their personal information very seriously and will conduct a review of processes to ensure staff are trained in the protection of personal information.”

The city has notified the provincial information and privacy commissioner (IPC) because possible data breaches are subject to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).

In an email, the IPC’s office said it has been notified by the city, and had received two privacy complaints.

The IPC doesn’t have statistics on misdirected emails from public institutions covered by the provincial freedom of information and privacy act (FIPPA) and MFIPPA, as they are not required to report privacy breaches. However, the IPC added, health information custodians subject to the provincial health information privacy act are required to report privacy breaches. Last year, 1,165 — or about 12 per cent — of unauthorized disclosures of personal health information were caused by misdirected emails.

“Unfortunately, misdirected emails are a common — though avoidable — cause of privacy breaches,” the IPC statement said. “Commissioner Kosseim has written a blog about misdirected emails and the importance of having explicit policies, procedures and administrative safeguards in place when handling personal information to avoid such unauthorized disclosures of personal information. Employees need to be well-trained to be aware of potential privacy risks and follow proper protocols to avoid privacy breaches. This includes checking and double-checking the intended recipients of the email, making sure they are in the appropriate field — CC or BCC — and reviewing the content of both emails and attachments before pressing send. Documents or spreadsheets containing the personal information of individuals should be encrypted with strong passwords. That way, even if they are mistakenly attached to an email or sent to the wrong person, unauthorized recipients cannot read them.”

The blind carbon copy feature was added to early email systems to prevent receivers of mass emails from seeing the list of other people the message went to. The idea is, the sender pastes the list of recipients in the ‘Bcc’ field. However, some people who don’t look carefully paste the list into the ‘To’ or ‘cc’ (carbon copy) field, and everyone who gets the message can see the names — or at least the nicknames — and the email addresses of everyone else.

In 2016 Axa Insurance listed this as one of the five dreaded email failures. Some application developers have created email plug-ins for popular email systems to prevent this problem.

David Shipley, head of New Brunswick security awareness training firm Beauceron Security, said the confusion over BCC “is literally the oldest privacy breach mistake in the book and one that every organization ends up having to deal with sooner or later.”

“The reality is, people are human and they make mistakes. It’s really important that if you have critical communications with multiple individuals that the right tools are set up to ensure privacy obligations are met.
“These kinds of incidents are a reminder that people often use their email platform as the hammer to solve every problem, when it can often cause much harm as good. For example, a good customer relationship management platform is a much safer way to do stakeholder communications.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now