[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Disclosure of email addresses by a financial institution [2008] IEDPC 2 URL: http://www.bailii.org/ie/cases/IEDPC/2008/2.html Cite as: [2008] IEDPC 2

[New search] [Printable RTF version] [Help]

Disclosure of email addresses by a financial institution [2008] IEDPC 2 (31 December 2008)

In April 2008, I received a complaint from a data subject whose email address had been disclosed by a financial institution.  The disclosure took place when the financial institution issued an email to 114 individuals with the email addresses of each of them visible to all recipients.

The background to this incident was that the data subject received several phishing emails.  Having consulted the relevant financial institution's website, he reported the matter using an email address provided by the financial institution for that purpose.  Generally, phishing emails concerning banking services give the impression that they have been issued by a bank.  They often request the recipient to log-on to their online banking service to confirm their security details by clicking the link in the email.  If a person clicks on that link they are routed to a 'spoof' site which looks like the bank's online service.  The intention of the fraudster is that the recipient will be fooled into disclosing their confidential details to the 'spoof' site.

The matter of the disclosure of the data subject's email address was raised by my Office with the financial institution.  It explained that when an email is received by the team which handles reported instances of phishing a standard response is sent advising the user of additional precautions to take and providing related information.  However, on a particular weekend in April 2008, an unprecedented number of emails were sent to the phishing alert email address.  To respond to each email a business decision was made to send a single response to all customers using the "bcc" (blind copy) option in e-mail, which would have hidden all email addresses from the recipients. This bulk email failed because it was too large.  To make the email more manageable for the mailbox, the user list was broken down into different outgoing emails.  Due to a manual error, one of the emails was sent to 114 people using the "cc" option rather than the "bcc" option.  This resulted in all 114 email addresses being visible to all recipients of the email.

The financial institution subsequently issued an email to the affected users to advise them of the incident and to apologise for the error.  I am satisfied that the financial institution took prompt action to inform the affected parties that their email addresses had been disclosed.  However, it is unfortunate that this disclosure occurred in the context of an email alert system that was established to prevent phishing.

All data controllers should take note of this incident and take steps to ensure that email addresses are not disclosed inadvertently.  In particular, where an email is sent to a number of individuals it should be transmitted using the blind copy ('bcc') option in all situations which warrant it.  It is the duty of data controllers to raise awareness amongst their employees about this issue and to foster a greater degree of care and responsibility in relation to the protection of personal data in the form of email addresses.  However, I have some sympathy for data controllers where genuine mistakes occur in this area.