While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are a much bigger problem. In fact, in organizations with 1,000 employees, at least 800 emails are sent to the wrong person every year. That's two a day.
Are you surprised? Most people are. That's why we've rounded up this list of 9 real-world (recent) examples of data breaches caused by misdirected emails.
University and college wellbeing services deal with sensitive personal information, including students' health, beliefs, disabilities, and their families. Most privacy laws impose stricter obligations on organizations handling such sensitive personal information—and there are harsher penalties for losing control of such data.
So imagine how awful the Wellbeing Adviser at the University of Liverpool must have felt when they emailed an entire school's worth of undergraduates with details about a student's recent wellbeing appointment. The email revealed that the student had visited the Adviser earlier that day. He had been experiencing ongoing personal difficulties and advised the student to attend therapy.
A follow-up email urged all the recipients to delete the message "immediately" and appeared to blame the student for providing the wrong email address. One recipient of the email reportedly said: "How much harder are people going to find it going to get help when something so personal could wind up in the inbox of a few hundred people?"
Remember in 2019, when then-President Donald Trump faced accusations of pressuring Ukraine into investigating corruption allegations against now-President Joe Biden?
Once this story hit the press, the White House wrote an email—intended for Trump's political allies—setting out some "talking points" to be used when answering questions about the incident (including blaming the "Deep State media").
Unfortunately for the White House, they sent the email directly to political opponents in the Democratic Party.
White House staff then attempted to "recall" the email. If you've ever tried recalling an email, you'll notice that it doesn't usually work.
Recalling an email only works if the recipient is on the same exchange server as you—and only if they haven't read the email. Looking for information on this? Check out this article: You Sent an Email to the Wrong Person. What Happens Now?
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
On September 30, 2020, Australia's Department of Foreign Affairs and Trade (DFAT) announced that the breach exposed the personal details of over 1,000 citizens after an employee failed to use BCC.
The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan.
Immediately after DFAT sent the email, employees tried to recall the email and event requested that recipients delete the email from their IT system and "refrain from any further forwarding of the email to protect the privacy of the individuals concerned."
In May 2020, an employee at Serco, a business services and outsourcing company, accidentally CC'd instead of BCC'ing almost 300 email addresses. Harmless, right? Unfortunately not.
The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident has put confidentiality at risk.
In January 2020, 450+ email addresses were exposed after being cc'd rather than BCC'd.
Here's what happened: A Sonos employee was replying to customers' complaints. So instead of putting all the emails in BCC, they were CC'd, meaning that every customer who received the email could see the personal email addresses of everyone else on the list.
In September 2019, a gender identity clinic exposed the details of close to 2,000 people on its email list after an employee cc'd recipients instead of BCC'ing them. Two separate emails were sent, with about 900 people CC'd on each.
While email addresses on their own are considered personal information, it's vital to bear in mind the nature of the clinic. As one patient pointed out, "It could out someone, especially as this place treats people who are transgender." In 2016, the email addresses of 800 patients who attended HIV clinics leaked because they were – again – CC'd instead of BCC'd.
In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? The university had only accepted 250 of those students. The other 400+ had not. While this isn't considered a breach (because it exposed no personal data), it shows that fat fingering an email can have many consequences.
In this case, it damaged the university's reputation. Hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will take up plenty of time and resources.
In January 2019, an official at Australia's Registered Organisations Commission (ROC) accidentally leaked confidential information, including a whistleblower's identity. How? When sending an email, the employee entered an incorrect character and was forwarded to someone with the same last name – but a different first initial – as the intended recipient.
The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach.
Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year
In May 2018, Dignity Health – a large health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services.
So, how did it happen? Dignity says the problem originated from a sorting error in an email list formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients with the incorrect names. Because Dignity is a health system, these emails also often contain the patient's doctor's name.
Are your fundraisers protected from sending misdirected emails of their own? Sign up for a Gravyty demo today and learn how your team can keep its donor data safe while doing the best work of their lives: