BCC emails remain public sector data-protection blind spot, ICO warns

Regulator targets ‘avoidable’ mistake as part of ongoing drive to improve standards
Photo: Adobe Stock

By Sam Trendall

11 Oct 2023

The injudicious use of the ‘BCC’ function of email applications remains among the biggest causes of public-sector data breaches, the enforcement chief of the Information Commissioner’s Office has warned.

In an exclusive interview as part of Cyber Security Week – currently taking place on CSW sister publication PublicTechnology – ICO deputy commissioner for regulatory supervision Stephen Bonner said that the inappropriate use of the blind carbon copy function when sending mass email messages has resulted in more than 1,000 data breaches reported to the regulator. The deployment of BCC is particularly problematic when communicating with citizens about the provision of public services related to domestic abuse, or care for various health conditions.

“It's one that can – at very low cost, by just using mail merge, rather than BCC – be engineered out,” the ICO enforcement chief said. “That capability is included in the main email packages… so, that us one that we hope soon to see disappear. Because it is avoidable, and the consequences can be quite horrific.”

The data-protection watchdog is currently about 15 months into a two-year trial of a ‘revised approach’ to the public sector which has seen no fines issued, but various organisations issued with a formal public reprimand, with the aim of promoting shared learning and an improvement in standards.

Bonner said: “We recognise that funding may be very tight, and therefore things that might impact on that funding further may not be the most effective use of resources,” Bonner told PublicTechnology. “Instead: can we get them to the outcome that they need? And can they then help others to do that? Because it's not just cooperation with us – it’s cooperation with the ecosystem, to raise standards everywhere. That is vital. And cover-ups don't help anyone.”

This week PublicTechnology is publishing a range of features, interviews and analysis examining the biggest cyber challenges facing public bodies and how they can be met, as well as the wider issues and context that is shaping the threat landscape and government’s response to it.

All the content is collated here, or can be accessed by clicking on the logo above.

Articles published so far include an analysis of what government data tells us about the most common forms of attack and the harm they can cause, as well as a feature looking at the huge – and hugely complex – problem of disinformation, and the controversy and concern caused by government’s work to combat it.

In interviews with the Cyber Resilience Centres for London and Wales, PublicTechnology has also examined the defences being put up against the biggest threats.

Tomorrow marks a webinar discussion – which is completely free to attend – where a panel bringing together expertise from government, industry and academia will take our audience’s questions on their skills challenges.

At the end of the week, we will look to future, including the likely impact of automation and artificial intelligence on the threat landscape, as well as asking where government goes next: do we need a department for cyber?

Read the most recent articles written by Sam Trendall - ICO to continue 'minimal-fine regime' for public-sector bodies

Share this page