Anti-fraud body leaks dozens of email addresses in invite mishap
- Reference: 1761031810
- News link: https://www.theregister.co.uk/2025/10/21/cifas_email_blunder/
- Source link:
The invite was sent in August to a [1]session scheduled for October 16 about the organization's JustMe app, which allows individuals to confirm if applications made in their name are genuine.
Over a dozen addresses were exposed in the To field, with another 45 in the CC field, according to the message, a copy of which was seen by The Register .
[2]
These appeared to include individuals working at security vendors and management consultancies as well as publishing firms. Invitees from the public sector, including national government, also had their email addresses displayed.
[3]
[4]
The slogan used by [5]Cifas is: "We protect your organisation from fraud and financial crime".
The Information Commissioner's Office (ICO) considers an email address to be personal data, so [6]best practice is to not put email addresses in the CC field for bulk emails. But using BCC can still leave addressees – and senders – exposed.
[7]NHS reply-all meltdown swamped system with half a billion emails
[8]'Fax virus' panicked a manager and sparked job-killing Reply-All incident
[9]NASA's inbox goes orbital after email mishap spams entire space industry
[10]US defense forces no match for the unstoppable fiend known as Reply-All
A spokesperson at the ICO told The Register it had not received a breach report on the Cifas mishap. "Organizations must always notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.
"If an organization decides that a breach doesn't need to be reported they should keep their own record of it and be able to explain why it wasn't reported if necessary."
[11]
In 2023, Mihaela Jembei, Director of Regulatory Cyber at the ICO, said: "Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved."
So for bulk mail, the regulator advises the use of bulk email services, mail merge, or secure data transfer services.
The ICO says: "Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them."
[12]
It adds that organizations should ensure that staff are trained on security measures when sending bulk communications by email.
The Register asked Cifas and the ICO to comment, but they had not responded at the time of publication. ®
Get our [13]Tech Resources
[1] https://www.fintechconnect.com/exhibitors/justme
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPdZtLeKndxLgQSaS8y1cQAAAg4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPdZtLeKndxLgQSaS8y1cQAAAg4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPdZtLeKndxLgQSaS8y1cQAAAg4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.cifas.org.uk/fraud-prevention-community
[6] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/
[7] https://www.theregister.com/2017/01/31/nhs_reply_all_email_fail_half_billion_messages/
[8] https://www.theregister.com/2025/10/17/on_call/
[9] https://www.theregister.com/2025/03/21/nasa_maptis_reply_all/
[10] https://www.theregister.com/2023/02/14/us_army_reply_all_storm/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPdZtLeKndxLgQSaS8y1cQAAAg4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPdZtLeKndxLgQSaS8y1cQAAAg4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Sigh
Happens so tediously frequently.
Just put things in place, it's not difficult.
I'm involved in a few societies & have to send out regular emails to "mailing lists"
I have no hassles with to or cc (or even bcc) data leaks as it sends an individual email to each person on the "list" (obviously only drawback is this is slower)
Although this was a bit of email software I threw together myself (it has other features as, to avoid errors on my part, each mailing list has one of my email addresses associated & a list of associated directories and I can only add attachments to those mailing lists from those directories - to avoid files for one society going to members of another & each society has a society specific contact email for me - obviously relies on me putting files in correct folder! ) it was not exactly a difficult thing to throw together*
* About the only changes it has needed have been tweaks for OAuth support when Gmail killed basic auth (I use "society specific" Gmail contact email addresses as in emergency, other members of committee for relevant society can login to appropriate Gmail if I am away / ill / hit by a bus etc. as ensure chair & 1 other senior member of each society committee has creds to use the Gmail account if needed)
Microsoft Teams doesn't help
Experian sent me an invitation to an in-person "Data Governance Breakfast Briefing" in November 2024. There were 27 other email addresses exposed (some interesting attendees in fact). Experian didn't respond to my concerns, didn't apologise and I didn't attend. Two attendees did however contact me - both wondering why I didn't attend - and both in the Data Protection profession.
When I investigated further, I discovered the invitation was generated in Microsoft Teams via Outlook, which didn't allow attendees to be placed in a BCC context or hidden from each other. That apparantly was only possible from the web based Teams portal.
Just checking and this still seems to be an issue today - unless you then switch the "Teams meeting" option off after creating the event, which reveals an option to "Hide attendee list", and then you send. What a Microsoft mess.