security
Authority admits mass message to home-schooling families revealed recipients’ addresses, prompting ICO report and apology
Plymouth City Council has joined the growing ranks of public bodies defeated by the humble BCC field after exposing the email addresses of around 500 home-schooling families in a mass-mailing mishap.
The blunder comes barely a week after City of York Council disclosed a similar mistake that exposed the email addresses of hundreds of disabled residents, suggesting that some public sector workers remain engaged in an ongoing battle with one of email’s oldest features.
The message, sent by Plymouth’s Elective Home Education team, was meant to share information about upcoming legislative changes, but it also shared the email addresses of hundreds of home-schooling families with one another.
A Register reader who contacted us about the incident described the aftermath as “a bit of a mess,” claiming follow-up communications caused further confusion among recipients.
Plymouth City Council did not respond to The Register’s questions, but in a statement provided to local media, it admitted the incident was caused by human error and affected approximately 500 families.
“Unfortunately, due to human error, a recent email was sent to approximately 500 families without using the BCC function, meaning recipient email addresses were visible,” the council said.
The authority said it contacted recipients as soon as it became aware of the problem, apologized, and asked families to delete the email and refrain from using any details they had received. It stressed that the message included no information relating to children and consisted solely of a general update.
The council said the email mishap was investigated internally and that affected families were contacted again once officials had pieced together what went wrong. It also promised extra checks designed to keep future mailing lists out of public view.
The council also reported the matter to the Information Commissioner’s Office (ICO).
An ICO spokesperson told The Register: “We can confirm that we received a report from Plymouth City Council regarding this incident. After carefully assessing the information in the report, we provided data protection advice and closed the case with no further action.”
While the exposure appears limited to email addresses rather than more sensitive personal information, the incident serves as another reminder that some of the most common data breaches do not involve sophisticated cybercriminals or ransomware gangs.
Sometimes all it takes is sending an email to a few hundred people and clicking the wrong box. ®