back to article 150 infosec bods now know who they're up against thanks to BT Security cc/bcc snafu

BT Security managed to commit the most basic blunder of all after emailing around 150 infosec professionals who attended a jobs fair – using the "cc" field instead of "bcc". The email, shown to The Register by a non-trivial number of aggrieved recipients, thanked them for attending the Westminster Cyber Expo and popping by the …

  1. Victor Ludorum
    Facepalm

    Words fail me

    See icon

  2. Chloe Cresswell

    Team size increases...

    "we'll be increasing the size of our security team by 25 per cent..." 25% +1 now, maybe?

    1. Korev Silver badge
      Coat

      Re: Team size increases...

      I CC what you did there

  3. Anonymous Coward
    Anonymous Coward

    Unbelievable

    Utterly unbelievable......

    1. LDS Silver badge

      Re: Unbelievable

      Not at all, they should have attended the same privacy course my company forced me to attend. They explained that only personal addresses had to be put in BCC, while non-personal ones had to be put in CC, and it was an error to answer "simply put all those bloody addresses in BCC so others won't know to whom else the mail was sent to, and I have not to check each address to understand if it is personal or not".

  4. smudge Silver badge
    Windows

    Reply-all email chains are no laughing matter.

    Damn right. I once worked on a contract for Shell, and had a Shell email address. Every now and then some eejit would send an email to a relatively small proportion of Shell's workforce, but that would still amount to thousands of people. It was quite informative to see the resulting email war spreading around the planet, and seeing how long it took. But that in no way compensated for having frequently to delete hundreds of emails...

    1. MiguelC Silver badge
      Trollface

      Re: Reply-all email chains are no laughing matter.

      My favorites are mailing lists misconfigurations, my kid's school mailing list administrator has a bad habit of regularly setting them to relay all replies to the whole list... until enough people start asking to be taken out of the list and others angrily telling everyone not to reply to all, others commenting on the original mail or on any other subject, ad infinitum

      I just laugh.

      1. Myvekk

        Re: Reply-all email chains are no laughing matter.

        Trollish parents hitting reply all, just to keep the torment going... Or to hammer the administrators mail enough to teach them to Do Not.

    2. Anonymous Coward
      Anonymous Coward

      Re: Reply-all email chains are no laughing matter.

      Yep, they're no laughing matter, mostly when you're in charge and are watching in despair the 1-5% idiots replying to all, exponentially loading all systems and storage !

      With only 150 recipients, risk is almost 0, but with X thousands, like I could myself verify, things can go titsup quite quickly. Then, you'll need to take down all replies, if at all possible giving the architecture, before the Great Global Collapse tm.

      For those blaming the poor sod, this is a bit stupid. Everyone has done this at least once, and given how retarded outlook controls are (aka, you need to manually move from cc to bcc before sending, as bcc is not available by default), of course people are doing mistakes. You forgot to do the last drag before sending ? Bam, you got it !

      1. fnusnu

        Re: Reply-all email chains are no laughing matter.

        2 people have replied to all so far. The recall note was also cc'd to all

      2. Pascal Monett Silver badge

        Re: Everyone has done this at least once

        No, I haven't. Ever. The fact that I don't use Outlook might have helped, from the look of things, but first and foremost I actually pay attention when I reply to or write an email.

        There's also the fact that never use Reply To All - my ego is not of sufficient size to believe that everyone is interested in my response.

        Maybe, some time in the future after my brain aneurysm I might, but up to now my record is spotless on that account.

      3. John Brown (no body) Silver badge

        Re: Reply-all email chains are no laughing matter.

        "given how retarded outlook controls are (aka, you need to manually move from cc to bcc before sending, as bcc is not available by default), of course people are doing mistakes. You forgot to do the last drag before sending ? Bam, you got it !"

        Is this also why BT said "could you recall the message" in relation forwards etc? I don't recall using a mail system where "recall" was an option, or if it was, it worked in any reliable way. It sounds very much like something MS would implement as if it was some sort of proper and official standard.

  5. chivo243 Silver badge
    Trollface

    We know who needs SECOPs help

    Or is just basic e-mail etiquette? Are they same with this outfit?

  6. Fat_Tony
    Facepalm

    One recipient even reply-all'd to the original email asking to be taken off it

    there's always one idiot who just can't help themselves

    1. Cederic Silver badge

      Re: One recipient even reply-all'd to the original email asking to be taken off it

      "We need people like you." Yes, you do. But not him, cross him off the list.

      (or her, I believe in equal opportunity idiocy)

      1. Anonymous Coward
        Anonymous Coward

        Re: One recipient even reply-all'd to the original email asking to be taken off it

        Cross them off the list?

        Surely this candidate and BT are an ideal match?

  7. JimmyPage Silver badge
    Flame

    if (count(reply_addresses) > 10) GetAdminClearanceBeforeSending();

    Now, where's my £1,000,000 ?

    1. CrazyOldCatMan Silver badge

      Re: if (count(reply_addresses) > 10) GetAdminClearanceBeforeSending();

      Now, where's my £1,000,000 ?

      I've got it here. However, I'll need you to send me £5000 so that I can process releasing it to you..

  8. big_D Silver badge
    Facepalm

    Who?

    Who, working in info-sec,

    a) uses a "real" email address for such things, you'd usually use a throw-away address, such as bt.stand@mydomain.com, or even a disposable gmail or similar address.

    b) uses their work email address when looking for a new job (that goes to anybody, not just info-sec bods). 30 years ago, maybe, but today?

    That said, a complete balls-up by BT

    1. Chloe Cresswell

      Re: Who?

      You mean a normal/traditional complete balls-up by BT...

  9. smudge Silver badge

    Interesting dilemmas

    If you were a candidate, wouldn't you now withdraw your interest?

    And if you were BT, wouldn't you go after those who withdrew, rather than those who stayed?

    And as for the bod who replied-all, citing GDPR - clearly top management potential there.

    1. Mandoscottie
      Angel

      Re: Interesting dilemmas

      wouldnt have been interested in BT infosec to begin with :P

  10. RSW

    Alanis Morissette would be proud

    1. Anonymous Coward
      Anonymous Coward

      it's like RAAAAAAAIIIIIIIIIIINNNNNNNNNN

      1. Glen 1 Silver badge

        Want to feel old?

        That song was released in... 1996. 23 (nearly 24) years ago

        1. Doctor Syntax Silver badge

          AH, bless. Somebody who thinks 24 years was a long time ago.

          1. Anonymous Coward
            Anonymous Coward

            Now that's ironic. Don't ya think?

          2. Anonymous Coward
            Anonymous Coward

            "AH, bless. Somebody who thinks 24 years was a long time ago."

            <troll>Ok, Boomer</troll>

            1. Anonymous Coward
              Anonymous Coward

              Sounds like an old man. Recently turned ninety-eight. Hopefully he didn't win the lottery today because we all know what's in store tomorrow if that was indeed the case.

  11. Anonymous Coward
    Anonymous Coward

    BCC

    It's far too easy for those employees who deal with mailing lists regularly to miss out the step of switching to BCC. It's the primary source of minor data protection breaches for us and I guess for the majority.

    You'd think that since it's so common a problem it would be easy to have the default sending option set to BCC, then you'd have to actively switch to make a mistake (the fail option being a safe state). But no if you use MS Outlook it does not have an easy option to set BCC as the default.

    If anyone can correct me and point me to a nice switch to make email default to BCC I'd really like to know. Then I'll vigorously beat our exchange admin with the knowledge until they make it happen.

    1. Sulky

      Re: BCC

      I've not done it, but you should be able to use the developer tools to edit the "Message" form and substitute the To: field with the BCC field and save it as the default new message form. There is a way to assign that new form across all outlook deployments as the default but I can't remember how off the top of my head.

  12. EnviableOne Silver badge
    Facepalm

    We take the protection of data extremely seriously

    obvs --->

  13. Missing Semicolon
    Windows

    Exchange users

    Do have this rather quaint belief in the ability to "recall" mails.

    The rest of us just chortle. Or not, if the "recall" mail is also not Bcc'd.... (like our local Conservative Party..)

    1. Flywheel Silver badge
      FAIL

      Re: Exchange users

      And "If you haven't already opened it, could you delete the email straightaway without opening"

      Presumably they're assuming that you either have message preview enabled or you can read emails without opening them!!

  14. GarethB

    Not at all suprised

    We had a BT Eco Repair account created for us today. For those who don't know this is used to report faults on BT lines and circuits.

    Logged in and could immediately see fault reports for lines which didn't belong to us. Took a look at one and it contained the contact name, mobile phone number and installation address at the British Transport Police.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not at all suprised

      Our previous service desk was maintained by a certain outsourcing company with a name starting with 'C'. I pointed out to them that, despite their protestations that we were in an isolated partition, I could see information on all their other contracts, including Police and Local Government contracts.

      Needless to say, that situation persisted until we ejected them.

      1. Myvekk

        Re: Not at all suprised

        Did you do their other clients the courtesy of notifying them that their details were exposed? They might have wanted to change as well... Once they knew.

      2. John Brown (no body) Silver badge

        Re: Not at all suprised

        "Needless to say, that situation persisted until we ejected them."

        How long did that take, knowing that your companies data was almost certainly available to those other orgs?

    2. PM from Hell

      Re: Not at all suprised

      I managed the telephony contract re-tender for a county council.

      A key requirement was for the incumbent supplier to give us a full list of all lines, locations and tariffs. Unfortunately they couldn't provide this with any level of accuracy as they had accidentally transferred all the city council lines to our account previously. Whilst billing was correct they couldn't manage to provide a report which just had our properties. We also had a suspiciously large number of out-of-county lines. Whilst we had a couple of care homes and outward bound type educational establishments we didn't own the public payphone in the middle of an RAF base or various magistrates courts scattered around the UK. When we asked for a similar report from out mobile phone provider hey sent us a complete extract of all mobile numbers, usage, phone type user name and contact details within 48 hours. The only problem was they sent the data from a completely different County Council.

  15. Anonymous Coward
    Anonymous Coward

    Officepower

    In a certain computer company the email system used to send your mail to everyone in the company whose address started with that letter if you mistakenly left a single letter in the To field. Hence people from South Africa to Reading were all aquainted with the details of a young lady's party mishap. Unfortunately it was the letter"B" and so was a Mr Bonfield.

  16. bpfh Silver badge

    Professional mailing list software exists...

    And it’s not as if they don’t have the means to pay for one.... in this day and age this sort of thing should not happen...

    1. Warm Braw Silver badge

      Re: Professional mailing list software exists...

      However it doesn't solve two problems:

      1/ Ordinary mortals having to beg permission to create a list (or have someone else do it for them)

      2/ Said mortals taking a shortcut because it isn't worth the hassle

      On the whole, I think mail servers should be configured so they reject more than, say, half a dozen total recipients (CC'd or BCC'd), any of which could be the ID of a mailing list, of course: there's rarely any genuine reason to copy more than 6 named people into e-mails and if there is a need to inform a larger number of roles you probably need to formalise it with a list anyway. It would limit potential information leaks and get a rid of a lot of arse-covering irrelevance.

    2. Roland6 Silver badge

      Re: Professional mailing list software exists...

      I think many are missing something here, namely, how did the contact details of 150 potential applicants get into the cc field of an email. To me, this says that whoever processed the contact information (personal data), did so outside of normal HR and contact management systems. Ie. those contact details are being retained within an individual's own address book, perhaps someone didn't understand their GDPR training..

  17. Claptrap314 Silver badge

    "Reply-all email chains are no laughing matter."

    Buhahahahahahaha!

    Are you KIDDING me? They. Are. Hilarious. And have been ever since I got online in 1993. Deliberately replying-all to a mass cc'ed email is an efficient way of driving the point home both to idiot users in dire need of a clue bat, and lazy admins who don't understand that exponential backoff isn't something you just read about.

    I can understand that into the mid-nineties, that protections against these things might not have been in place. Even as late as 2000, it is understandable that mid-sized organizations might not have gotten up to speed. But to claim that you are running an enterprise IT department at the end of the 2019 that cannot deal with a simple reply-all storm? Grow up, kid. This ain't DIsneyland.

  18. Martin-73 Silver badge

    Someone clue me in please

    I understand HOW the original snafu could occur, lack of checks, some underpaid person clicking the wrong field in outhouse, etc.

    But WHY is it always compounded by someone doing a reply all? Is there a mail client where the default to a multirecip message is 'reply all'?

    And if so, why hasn't the programmer been shot?

  19. Norman Nescio

    MTA RFC?

    Given the unlikelihood of mail clients being modified to make this sort of thing less likely to happen by accident or ignorance, perhaps there is mileage in writing an updated Message Transfer Agent RFC that requires that the agent can count the number of names in a 'cc' field and refuse to transfer the mail if it is above a certain number?

    If you really want to cc a lot of people, request permission from the MTA first; or maybe the MTA puts the message in quarantine and requests the sender to confirm they want the mail to be forwarded.

  20. Mandoscottie
    WTF?

    note to self (like i needed it) infosec & BT got it.

    not the first clowns id think of, pc world tech team first maybe.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019