Why leaking email addresses is a data breach

/ Martijn Brinkers

Every now and then a news article shows up that someone forgot to use the bcc field instead of the cc field thereby leaking the email addresses of all the recipients.

If the email is from your local sports club, most recipients would probably not consider this to be a data breach (although technically it is). If the email is from a clinic however, I guess most recipients would think differently.

For example in 2015, an HIV clinic sent a news letter to 780 recipients (Inquiry launched after HIV clinic reveals hundreds of patients' identities) Instead of using the bcc field, the sender used the cc field thereby revealing the identities of people having HIV.

There are plenty of other similar incidents which are considered to be a data breach:

Most of these mistakes are human errors, i.e. the sender should have used bcc instead of cc. What is striking however is that most companies do not use any sort of protection against these common mistakes. Why for example is Outlook allowing a sender to specify more than a dozen of email recipients in the cc field?

Instead of handling the cc problem client side (for example using an Outlook plugin), a system wide content scanner can be used instead.

For example the CipherMail email encryption gateway has a DLP engine which can be instructed to quarantine the email if the DLP engine detected more than a certain number of email addresses in the email (cc email addresses are stored in the email, bcc addresses are not). If a message is stored in quarantine, the DLP engine will send a message to the sender of the message and to the DLP managers notifying that the message was quarantined. The DLP managers can inspect the message and release the message after approval. Alternatively, the quarantine can be configured to be "self managed". This allows the sender to check the message stored in quarantine and release the message after self approval.

See example DLP patterns for some DLP patterns including a pattern which quarantines the message if more than 20 email addresses are detected.

Leaking email addresses is considered to be a data breach according to the General Data Protection Regulation (GDPR) and the Dutch "meldplicht datalekken" (and in similar laws in most other countries). Even though you can instruct your employees to not make the cc vs bcc mistake, chances are that mistakes are still being made. Having an extra check in place to catch most of these errors, can help to prevent these common mistakes.