Vodafone's recently issued correction to new customers - crediting them with five pounds it had inadvertently billed for internet access - also bundled the email address of the 416 people to whom it was sent. It's the old "BCC" and "CC" problem, though really a company like Vodafone should know better than to reveal the email …
Well at least it wasn't our bank details! No doubt the whiners will be bleating for compensation as I've already seen one "an apology will not be acceptable" e-mail (which incidentally was sent to the unmanned mailbox!)
I see it all too often
I see it all too often, I'd had one yesterday actually. Generally I send them an e-mail back (just to the original sender) explaining that in future could they use BCC so everyone on the list doesn't get everyone else's e-mail address.
It also really gets my backup when friends blindly forward on junk (virus hoaxes, crap jokes and that stupid crap about how much of a great friend you are) to EVERYONE in their address book, and of course they don't use BCC, and they also leave in the headers for everyone else who has blindly forwarded it on so you get a list of about 500 e-mail addresses in the e-mail and you can't do anything about your own e-mail address ending up being sent on without your consent. When this happens I generally send my friend a strongly worded e-mail to say don't send me this crap anymore. Luckily most of the people who do this only have my hotmail address anyway which I don't check (I only use it for Messenger and XBOX Live).
I dunno, some people shouldn't be allowed e-mail addresses until they learn how to use them properly (don't get me started about HTML and top posting on mailing lists either).
FAIL because, well Vodafone have failed, just as well they didn't send it to everyone of their subscribers.
Only three short
Of an April 1st worthy error
Not just the users fault
This happens all too often and it's easy to blame human error but it points to a lack of security culture and training. Anyone who is in a position to send out emails to customers should have the training to understand the security implications of what they do, especially for a company as large as Voda.
Oh no not again
This is down to two things:
1) The BCC: field being hidden by default on email clients, to avoid "confusing" the poor punter. I'm sure we have Microsoft to thank for starting this trend!
2) To avoid pissing off the punter, not even an "are you sure?" dialogue, explaining the problem, when you put more than 'n' people in the To: and/or CC: fields.
People really do not appreciate that this behaviour is a gift to malware and breaks the Data Protection Act.
This is not a one off! Vodafne does this all the time to it's partner channel... I now have the email address for almost every billing team that deals with Vodafone (including O2 and BT)... This list gets updated and re-sent in the "To" field every month!
A rather small error
Come on, it was only 416 people. It might so easily have been 416,000 !
T's and C's.
Please don't not tick this box if you wish us not to not send your email address to carefully unlimited* third parties, vendors and other customers.
*Unlimited means about 400...
Clear as mud? Good..
Sure it's from Voda?
Hmm 416 recipients. If it had been 3 more and asking for money, I would have been wondering if it was from the Lads in Lagos....
Punished? You must be joking. Our data protection legislation does not give any such power for this sort of breach. The worst that will happen will be that IF someone complains to the ICO then the ICO MAY send Vodafone a letter asking them if they have done anything wrong. When Vodafone explain that they made a "mistake" then that will be that. Because the ICO have no power to punish for a retrospective breach. Yet. Lets face it - if the 2006/2007 covert BT/Phorm trials of tens of thousands of customers didn't result in a punishment, a 400 email data breach isn't going to raise the roof is it? We need tougher consumer protection on data privacy and real teeth for the ICO to punish private companies that breach data protection rules or are simply incompetent..