Law firm email blunder exposes Church of England abuse victim details
- Reference: 1756378937
- News link: https://www.theregister.co.uk/2025/08/28/lawyer_coe_email_blunder/
- Source link:
UK's Ministry of Defence pins hopes on AI to stop the next massive email blunder [1]READ MORE
City firm Kennedys Law confirmed that due to "human error," the email addresses of 194 individuals and law firms were exposed to all recipients.
It said it made attempts to recall the emails, but these "were only partially successful."
The redress scheme, established for victims of abuse by those who held positions of power in the Church, including priests and bishops, was only recently set to start opening its application process after a bill was approved in July to begin its passage to law.
"Kennedys is deeply sorry for the hurt and concern caused to everyone affected by this significant error and accepts full responsibility," it said in a [2]statement . "We have contacted everyone who received the message and have reported the incident to the Charity Commission, the Information Commissioner's Office and the Solicitor's Regulatory Authority. We will fully comply with any investigations.
[3]
"We understand the significant impact this will have on those affected for which we apologise unreservedly. We remain committed to supporting victims and survivors of Church of England-related abuse to secure the financial redress, therapeutic, spiritual and emotional support, acknowledgement of wrongdoing on the part of the Church, apology and other forms of bespoke redress under this scheme."
[4]
[5]
The law firm added that an internal investigation was launched to understand how this happened, promising to incorporate all learnings "immediately."
The CoE [6]said : "While the Church of England is not the data controller for the Redress Scheme and does not hold or manage the data in question, we are nonetheless profoundly concerned. We are in discussions with Kennedys to understand how this breach occurred and to ensure robust steps are taken to prevent anything similar from happening again.
[7]
"This should not have happened. We will continue to monitor the situation closely and support efforts to restore trust and confidence."
Cases of CoE abuse date back decades. The [8]Independent Inquiry into Child Sexual Abuse (IICSA), published in 2022, revealed that between the 1940s and 2018, 390 Church associates were convicted of child sex abuse crimes.
It also noted that until 2015, the CoE's safeguarding arrangements – which represent 85 million Anglicans globally – were under-resourced.
[9]
This changed in late 2015, around a year after the idea of a redress scheme was first discussed between survivors and Church officials, according to the House of Survivors group's [10]timeline .
[11]UK's Ministry of Defence pins hopes on AI to stop the next massive email blunder
[12]To BCC or not to BCC – that is the question data watchdog wants answered
[13]Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder
[14]NHS Highland 'reprimanded' by data watchdog for BCC blunder with HIV patients
Over the years, the number of victims at the CoE alone is estimated to be in the many thousands, including children, teenagers, and adults.
Church dioceses received 3,287 reports of concerns and allegations in 2017 alone, representing a 50 percent increase compared to 2015.
Numerous convictions have been secured in recent years, and former long-serving Archbishop of Canterbury, Justin Welby, was forced to resign in 2024 over his failure to investigate claims of historical abuse.
"The Church of England failed to respond consistently to victims and survivors with sympathy and compassion, accompanied by practical and appropriate support," the IICSA noted. "This often added to the trauma of those who had experienced child sexual abuse by individuals connected to the Church.
"While there have been important improvements in child protection practice, the Church of England still has more to do to rebuild the trust of victims and survivors. Some internal past case reviews were flawed and inaccurate, and there was a tendency to minimise offending."
The incident, which is the latest of the many ways CoE abuse victims have been failed over the years, is just one in a litany of email-related failures that have affected vulnerable people in the UK and abroad.
The most notable case in recent years was the Ministry of Defence's [15]infamous leak of the 19,000 Afghan individuals who worked with British armed forces in fighting the Taliban, which also included British spies and SAS troops.
Standard email etiquette became so concerning in 2023 that the Information Commissioner's Office was forced to [16]issue a reminder of the dangers associated with confusing CC and BCC.
It cited cases involving an NHS Trust and an unspecified charity, which exposed the identities of patients and members of an [17]HIV advisory board , respectively. ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2025/08/06/mod_taps_aussie_ai_shop/
[2] https://kennedyslaw.com/en/notices/kennedys-data-breach/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLB9HIc6XxRy2hSBY0tNzwAAANg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9HIc6XxRy2hSBY0tNzwAAANg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLB9HIc6XxRy2hSBY0tNzwAAANg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.churchofengland.org/safeguarding/safeguarding-news-releases/redress-scheme-data-breach-kennedys-law-llp
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLB9HIc6XxRy2hSBY0tNzwAAANg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.iicsa.org.uk/index.html
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLB9HIc6XxRy2hSBY0tNzwAAANg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://houseofsurvivors.org/churchofengland-redress-scheme/
[11] https://www.theregister.com/2025/08/06/mod_taps_aussie_ai_shop/
[12] https://www.theregister.com/2023/12/15/to_bcc_or_not_bcc/
[13] https://www.theregister.com/2023/12/13/mod_bcc_email_fine/
[14] https://www.theregister.com/2023/03/31/nhs_highland_reprimanded_by_data/
[15] https://www.theregister.com/2025/08/06/mod_taps_aussie_ai_shop/
[16] https://www.theregister.com/2023/12/15/to_bcc_or_not_bcc/
[17] https://www.theregister.com/2023/03/31/nhs_highland_reprimanded_by_data/
[18] https://whitepapers.theregister.com/
Re: Hide and hide some more to hide it all
>> The whole organisation should be banned as a criminal organisation
Some self-appointed group of nonentities call themselves 'clerics', and use that as an excuse for all kinds of abuse. $GOD works in mysterious ways, is the old get out of jail free card.
Re: Hide and hide some more to hide it all
Sadly, in the UK, a country with neither a proper constitution, a bill of rights, spearation of church and state or an independent judiciary, they act as agents of the state, which they are as the established church.
A law firm should know better. It should ensure its staff know better. It should have mechanisms in place that don't rely on staff knowing better.
This is not a whoops I made a boo boo !!!
A law firm should know better and MUST know that you cannot get away with a 'Whoops sorry !!!'.
This sort of error is so basic that it is nothing more than some form of negligence.
I hope the people who are now impacted by this 'go for the throat' as far as this law firm is concerned.
I have worked with many law firms in an IT capacity and they are usually very very focused on security/privacy and I had to go through many hoops before they would trust the company and its staff.
This is really bad !!!
:)
If you put more than 25 emails in 'cc' Outlook (and other email software) asks if you are sure about that. Kind of bonkers this can happen and points to a complete lack of staff knowledge of IT... which is probably about right for a law firm I guess.
FFS ... this is not acceptable !!!
"... points to a complete lack of staff knowledge of IT... which is probably about right for a law firm I guess."
This was true 20-30 years ago ... BUT now should be considered 100% unacceptable !!!
All law firms should have learnt, by now, that you cannot be slapdash with security/privacy ... there are no excuses available.
People are charged for the partners to be doing the work NOT the office juniors, so spend some of the money on proper training and basic security.
This makes me very angry as it is basic stuff that has been covered multiple times over the years.
:)
Another day
Another data breach fuck up.
Re: Another day
A fool failing to use BCC in a mailshot is not a breach.
Hidden figures at the MoD
The ICO says it warned the MoD about hidden tabs in spreadsheets, but that didn't stop them sending "the most expensive email in history" (BBC reports today about the Afghan debacle).
During the investigations, the MoD and ICO had secret meetings where "Written notes were forbidden". You couldn't make it up, could you - like Dad's Army with taxpayer's money (£850M).
It said it made attempts to recall the emails,
It amazes me how many people struggle to understand how this never ever works.
I wonder if I could setup a business rinsing marks for "recalling emails" - it's a professional service.
Re: It said it made attempts to recall the emails,
It more or less works if sender and all recipients are on the same outlook server... but ever under that perfect circumstance, if a recipient forwards the email before the recall, the recall is pooched. Recall just starts the Streisand Effect. Oooh, recalled... what's embarrasing here?
"Church of England still has more to do to rebuild the trust ..."
In terms of security, "trusted" means someone who can betray you. If the Church of England is doing nothing to rebuild trust then I applaud their inactivity.
One of the things I hated is school was sitting through collective worship in the morning. Just being there could have contributed to convincing others that religion has some sort of legitimacy. Its turns out I might of had the [1]legal right to simply walk away and wait outside . No-one mentioned the option. In the sixth form I did not turn up for collective worship at all. I just did some homework elsewhere and no-one complained.
The house of lords is taking a step in the [2]right direction . I hope they can change things for the better.
[1] https://assembliesforall.org.uk/about/law-on-assemblies/
[2] https://humanists.uk/2025/02/07/lords-support-bill-to-replace-collective-worship-with-inclusive-assemblies/
Re: "Church of England still has more to do to rebuild the trust ..."
The current government has promised to rid the Lords of its hereditary peers, but has not moved to kick out the lords spiritual, so no, that half-measure is mere window-dressing.
A business rinsing marks for "recalling emails"
That's a great idea.
But be sure to stress how these recollected emails would be incinerated in a responsible, sustainable and carbon-neutral way in your corporate advertisements!
Re: A business rinsing marks for "recalling emails"
I want my photons and electrons back!
Re: A business rinsing marks for "recalling emails"
Don't forget to throw in ... Blockchain & 'AI' as well !!!
[Save 'post quantum decryption risks' for the final pitch when you get the mark Customer to sign the 5-year contract.
:)
Hide and hide some more to hide it all
While there have been important improvements in child protection practice, the Church of England still has more to do to rebuild the trust of victims and survivors. Some internal past case reviews were flawed and inaccurate, and there was a tendency to minimise offending.
That little admission says it all. There is no real interest in cleaning up the mess they created and allowed to flourish and fester for centuries. The whole organisation should be banned as a criminal organisation and all their assets seized, converted to cash and distributed to the poor. They have been involved in institutionalized crime for many hundreds of years and they really, really, do not want to change. Other organisations have been banned for less.