Council chiefs have apologised to hundreds, possibly thousands of people after they were sent each other’s email addresses in what was a major data breach.
Everyone in Bristol who had signed up to join or contribute to the Bristol Citizens’ Panel was able to see everyone else’s email addresses after an email sent out to its members was cc’d, rather than ‘bcc’d so the other recipients were hidden.
Ironically, the council was actually telling those Bristol residents that their email addresses would be deleted from the council’s database to meet GDPR rules - but instead they were shared with hundreds of other people.
The council soon realised when those people began to complain, and some did so by hitting ‘reply all’ so that their replies went to everyone on the list as well.
One person invited the whole list to join a different club and meet at Bristol’s biggest restaurant Za Za Bazaars instead.
The council said the email was sent out like that ‘in error’. It meant would-be members of, or contributors to, the Citizens’ Panel were able to not only see who else had applied to join it, but what their email addresses were.
The original email was one sent to everyone who had filled in a survey to take part in the Citizens’ Panel, or who had contributed their views to it over the past months and years.
The email was actually thanking them for contributing, telling them that the way the panel worked was going to be reviewed and that their email addresses and other details were going to be deleted, in accordance with GDPR data protection rules.
Instead, their email addresses were then visible and accessible to everyone else.
“We sincerely apologise for an email that was sent out in error earlier today,” the council later told them.
“The email was sent to recipients with the email details in the ‘To:’ address field so these were visible to everyone who received the message.
“This was done in error and should not have happened. This has been reported to the city council’s data controller as a data breach,” the apology email stated.
“Your email address will be deleted from the Citizens’ Panel database and you will not be contacted again,” it added.
