Fail
Well at least it wasn't our bank details! No doubt the whiners will be bleating for compensation as I've already seen one "an apology will not be acceptable" e-mail (which incidentally was sent to the unmanned mailbox!)
Vodafone's recently issued correction to new customers - crediting them with five pounds it had inadvertently billed for internet access - also bundled the email address of the 416 people to whom it was sent. It's the old "BCC" and "CC" problem, though really a company like Vodafone should know better than to reveal the email …
I see it all too often, I'd had one yesterday actually. Generally I send them an e-mail back (just to the original sender) explaining that in future could they use BCC so everyone on the list doesn't get everyone else's e-mail address.
It also really gets my backup when friends blindly forward on junk (virus hoaxes, crap jokes and that stupid crap about how much of a great friend you are) to EVERYONE in their address book, and of course they don't use BCC, and they also leave in the headers for everyone else who has blindly forwarded it on so you get a list of about 500 e-mail addresses in the e-mail and you can't do anything about your own e-mail address ending up being sent on without your consent. When this happens I generally send my friend a strongly worded e-mail to say don't send me this crap anymore. Luckily most of the people who do this only have my hotmail address anyway which I don't check (I only use it for Messenger and XBOX Live).
I dunno, some people shouldn't be allowed e-mail addresses until they learn how to use them properly (don't get me started about HTML and top posting on mailing lists either).
FAIL because, well Vodafone have failed, just as well they didn't send it to everyone of their subscribers.
Rob
This happens all too often and it's easy to blame human error but it points to a lack of security culture and training. Anyone who is in a position to send out emails to customers should have the training to understand the security implications of what they do, especially for a company as large as Voda.
This is down to two things:
1) The BCC: field being hidden by default on email clients, to avoid "confusing" the poor punter. I'm sure we have Microsoft to thank for starting this trend!
2) To avoid pissing off the punter, not even an "are you sure?" dialogue, explaining the problem, when you put more than 'n' people in the To: and/or CC: fields.
People really do not appreciate that this behaviour is a gift to malware and breaks the Data Protection Act.
Punished? You must be joking. Our data protection legislation does not give any such power for this sort of breach. The worst that will happen will be that IF someone complains to the ICO then the ICO MAY send Vodafone a letter asking them if they have done anything wrong. When Vodafone explain that they made a "mistake" then that will be that. Because the ICO have no power to punish for a retrospective breach. Yet. Lets face it - if the 2006/2007 covert BT/Phorm trials of tens of thousands of customers didn't result in a punishment, a 400 email data breach isn't going to raise the roof is it? We need tougher consumer protection on data privacy and real teeth for the ICO to punish private companies that breach data protection rules or are simply incompetent..