7 Examples of Data Breaches Caused By Misdirected Emails

  • By Maddie Rosenthal
  • 29 September 2020

While phishing, ransomware, and brute force attacks tend to make headlines, misdirected emails (emails sent to the wrong person) are actually a much bigger problem.

In fact, a report from the UK’s Information Commissioner’s Office (ICO) attributed 266 data breaches to this perennial issue… and that’s just between January-March of 2020. This number has no doubt increased as people around the world have been forced to work remotely; Tessian saw a 129% increase in email traffic when employees transitioned from office to home. More emails = more mistakes.

Are you surprised? Most people are. That’s why we’ve rounded up this list of 7 real-world (recent) examples of data breaches caused by misdirected emails. And, if you skip down to the bottom, you’ll see how you can prevent misdirected emails (and breaches!) in your organization

If you’re looking for a bit more background, check out these two articles:

  1. Behind the “Fat Finger”: All You Need to Know About Misdirected Emails 
  2. Consequences of Sending an Email to the Wrong Person

7 examples of data breaches caused by misdirected emails 

Before we dive into the who, what, and how of these examples, it’s important to note that these incidents – and those reported to regulatory bodies like the ICO – are just the tip of the iceberg. 

The truth is, most employees who fire off emails to the wrong people never let their IT or security teams know. That means many security leaders underestimate the frequency (and impact) of this easy-to-make mistake.

How do we know? We asked them! (We also analyzed Tessian platform data.) Here’s what we found out:

  • 58% of employees say they’ve sent an email to the wrong person at work
  • At least 800 misdirected emails are sent every year in organizations with 1,000 employees
  • IT leaders working at organizations with 1,000+ employees estimate that just 480 emails are sent to the wrong person every year
  • 1.6x more misdirected emails are sent than IT leaders expect
  • 43% of employees say they’ve made a mistake at work that comprised cybersecurity

You can find more insights in The Psychology of Human Error and The State of Data Loss Prevention 2020. Now, on to the real-world examples! You’ll find the most recent examples listed first.

Australia’s Department of Foreign Affairs and Trade  leaked 1,000 citizens’ email addresses

On September 30, 2020, Australia’s Department of Foreign Affairs and Trade (DFAT) announced that the personal details of over 1,000 citizens were exposed after an employee failed to use BCC. So, who were the citizens Australians who have been stuck in other countries since inbound flights have been limited (even rationed) since the outbreak of COVID-19.

The plan was to increase entry quotas and start an emergency loans scheme for those in dire need. Those who had their email addresses exposed were among the potential recipients of the loan.

Immediately after the email was sent, employees at DFAT tried to recall the email, and event requested that recipients delete the email from their IT system and “refrain from any further forwarding of the email to protect the privacy of the individuals concerned.”

Serco exposes contact traces’ data in email error 

In May 2020, an employee at Serco, a business services and outsourcing company, accidentally cc’d instead of bcc’ing almost 300 email addresses. Harmless, right? Unfortunately not. 

The email addresses – which are considered personal data – belonged to newly recruited COVID-19 contact tracers. While a Serco spokesperson has apologized and announced that they would review and update their processes, the incident nonetheless has put confidentiality at risk and could leave the firm under investigation with the ICO. 

Sonos accidentally exposes the email addresses of hundreds of customers in email blunder 

In January 2020, 450+ email addresses were exposed after they were (similar to the example above) cc’d rather than bcc’d. 

Here’s what happened: A Sonos employee was replying to customers’ complaints. Instead of putting all the email in BCC, they were CC’d, meaning that every customer who received the email could see the personal email addresses of everyone else on the list. 

The incident was reported to the ICO and is subject to potential fines.

“Remember: email addresses are considered personally identifiable information (PII) and are therefore protected under compliance standards like the GDPR. ”

Gender identity clinic leaks patient email addresses

In September 2019, a gender identity clinic in London exposed the details of close to 2,000 people on its email list after an employee cc’d recipients instead of bcc’ing them.

Two separate emails were sent, with about 900 people cc’d on each. 

While email addresses on their own are considered personal information, it’s important to bear in mind the nature of the clinic. As one patient pointed out, “It could out someone, especially as this place treats people who are transgender.” 

The incident was reported to the ICO who is currently assessing the information provided. But, a similar incident may offer a glimpse of what’s to come. 

In 2016, the email addresses of 800 patients who attended HIV clinics were leaked because they were – again – cc’d instead of bcc’d. An NHS Trust was £180,000. Bear in mind, this fine was issued before the introduction of GDPR.

University mistakenly emails 430 acceptance letters, blames “human error”

In January 2019, The University of South Florida St. Petersburg sent nearly 700 acceptance emails to applicants. The problem? Only 250 of those students had actually been accepted. The other 400+ hadn’t.

While this isn’t considered a breach (because no personal data was exposed) it does go to show that fat fingering an email can have a number of consequences. 

In this case, the university’s reputation was damaged, hundreds of students were left confused and disappointed, and the employees responsible for the mistake likely suffered red-faced embarrassment on top of other, more formal ramifications. The investigation and remediation of the incident also will have taken up plenty of time and resources. 

Union watchdog accidentally leaked secret emails from confidential whistleblower

In January 2019, an official at Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including the identity of a whistleblower. How? The employee entered an incorrect character when sending an email. It was then forwarded to someone with the same last name – but different first initial –  as the intended recipient. 

The next day, the ROC notified the whistleblower whose identity was compromised and disclosed the mistake to the Office of the Australian Information commissions as a potential privacy breach.

Major Health System Accidentally Shares Patient Information Due to Third-Party Software for the Second Time This Year

In May 2018 Dignity Health – a major health system headquartered in San Francisco that operates 39 hospitals and 400 care centers around the west coast – reported a breach that affected 55,947 patients to the U.S. Department of Health and Human Services. 

So, how did it happen? Dignity says the problem originated from a sorting error in an email list that had been formatted by one of its vendors. The error resulted in Dignity sending emails to the wrong patients, with the wrong names. Because Dignity is a health system, these emails also often contained the patient’s doctor’s name.

That means PII and Protect health information (PHI) was exposed. 

“Before we adopted Tessian's technology, we didn't believe we had any problems with misaddressed emails. After a pilot, we realized that was only because these issues weren't being reported.”
Andrew Cheung Partner and General Counsel at Dentons

Prevent misdirected emails (and breaches) with Tessian Guardian

Regardless of your region or industry, protecting customer, client, and company information is essential. But, to err is human. So how do you prevent misdirected emails?

With machine learning

Tessian turns an organization’s email data into its best defense against human error on email. Our Human Layer Security technology understands human behavior and relationships and automatically detects and prevents emails from being sent to the wrong person.

Yep, this includes typos, accidental “reply alls” and cc’ing instead of bcc’ing. 

Interested in learning more about how Tessian can help prevent accidental data loss and data exfiltration in your organization? You can read some of our customer stories here or book a demo.

Maddie Rosenthal