By Dave McKay | July 29, 2020
A Simple Human Error Exposes Email Addresses
Substack, a subscription newsletter service sent an email to its users telling of them of a change of terms, and an updated privacy policy. Which is fine, that’s required practice. But they pasted about 500 emails into the cc field, instead of the bcc field.
That meant that everyone on the email saw all of the other recipients’ email addresses. In an email about a privacy policy - whoops.
“It’s not clear whether the users who received CCs instead of BCCs fall into a particular group or how many there were, but one of the email chains forwarded to Gizmodo contained 500 email addresses starting with the letter H to partway through the K’s. Another contained a similar deluge of emails including ones appearing to belong to Amazon CEO and world’s richest man Jeff Bezos, celebrity entrepreneur Mark Cuban, venture capitalist Peter Thiel, Sun Microsystems co-founder Vinod Khosla, civil rights activist Deray Mckesson, Snapchat CEO Evan Spiegel, Twilio CEO Jeff Lawson, and Getaround founder Jessica Scorpio.”
Even though some of these emails were publicly known and not “secret” as such, it is still a breach of the GDPR regulations. Substack does not have the right to inform its membership who else is a member. It is a clear example of a data processing error. They apologised on Twitter with two tweets:
(1/2) “This evening we published an update to our privacy policy, terms of use, and publisher agreements and mistakenly sent an email notification to a small percentage of Substack users that included many email addresses in the ‘to’ line.”
(2/2) “While we caught the error early, it was too late to retract that first batch. We are so sorry this happened – and we are aware of the irony. This was a genuine mistake, we feel terrible about it, and we will do everything in our power to never repeat it.”
Simple mistakes can be costly. Breaches of GDPR don’t have to be thousands of data records to attract the attention of a regulatory body like the Information Commissioner’s Office (ICO).
And you really don’t want to get on their radar. This was patently a human error. Consider staff awareness training to minimise the chances of these types of error. We’d be pleased to talk.
Source: Gizmodo