{"id":29814,"date":"2022-10-14T17:29:52","date_gmt":"2022-10-14T21:29:52","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=508029"},"modified":"2022-10-17T09:03:51","modified_gmt":"2022-10-17T13:03:51","slug":"hamilton-employee-mistakenly-sends-email-blast-with-all-names-and-addresses-visible","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/hamilton-employee-mistakenly-sends-email-blast-with-all-names-and-addresses-visible\/","title":{"rendered":"Hamilton employee mistakenly sends email blast with all names and addresses visible"},"content":{"rendered":"

The carbon-based units are again responsible for a huge breach of security controls at an organization.<\/p>\n

This time it was an employee of the City of Hamilton, who hit an email \u2018send\u2019 button too fast on a message to 450 residents who had registered to vote by mail in the upcoming municipal election.<\/p>\n

Unfortunately, the employee didn\u2019t use the \u2018blind carbon copy\u2019 (bcc) function. Instead, the list of recipients went into the \u2018To\u2019 field, so all recipients could see everyone\u2019s name and email address.<\/p>\n

According to the Hamilton Spectator<\/a>, one person who received the blast complained to the city as well as to the provincial information and privacy commissioner.<\/p>\n

In response the city sent out a statement saying it regrets the error and any distress that this incident may cause those who have used the Vote by Mail process.<\/p>\n

\u201cMultiple email addresses were inadvertently entered in the to: line of the email instead of the bcc: line, exposing email addresses to all recipients of the email message. Immediate steps were taken to recall the message and to notify all affected individuals.<\/p>\n

\u201cThe City of Hamilton takes the responsibility of protecting the security of individuals and their personal information very seriously and will conduct a review of processes to ensure staff are trained in the protection of personal information.\u201d<\/span><\/p>\n

The city has notified the provincial information and privacy commissioner (IPC) because possible data breaches are subject to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).<\/p>\n

In an email, the IPC\u2019s office said it has been notified by the city, and had received two privacy complaints.<\/p>\n

The IPC doesn\u2019t have statistics on misdirected emails from public institutions covered by the provincial freedom of information and privacy act (FIPPA) <\/i>and MFIPPA, as they are not required to report privacy breaches. However, the IPC added, health information custodians subject to the provincial health information privacy act are required to report privacy breaches. Last year, 1,165 \u2014 or about 12 per cent \u2014 of unauthorized disclosures of personal health information were caused by misdirected emails.<\/p>\n

\u201cUnfortunately, misdirected emails are a common \u2014 though avoidable \u2014 cause of privacy breaches,\u201d the IPC statement said. \u201cCommissioner Kosseim has written a blog<\/a> about misdirected emails and the importance of having explicit policies, procedures and administrative safeguards in place when handling personal information to avoid such unauthorized disclosures of personal information. Employees need to be well-trained to be aware of potential privacy risks and follow proper protocols to avoid privacy breaches. This includes checking and double-checking the intended recipients of the email, making sure they are in the appropriate field \u2014 CC or BCC \u2014 and reviewing the content of both emails and attachments before pressing send. Documents or spreadsheets containing the personal information of individuals should be encrypted with strong passwords. That way, even if they are mistakenly attached to an email or sent to the wrong person, unauthorized recipients cannot read them.\u201d<\/p>\n

The blind carbon copy feature was added to early email systems to prevent receivers of mass emails from seeing the list of other people the message went to. The idea is, the sender pastes the list of recipients in the \u2018Bcc\u2019 field. However, some people who don\u2019t look carefully paste the list into the \u2018To\u2019 or \u2018cc\u2019 (carbon copy) field, and everyone who gets the message can see the names \u2014 or at least the nicknames \u2014 and the email addresses of everyone else.<\/p>\n

In 2016 Axa Insurance listed this as one of the five dreaded email failures<\/a>. Some application developers have created email plug-ins for popular email systems to prevent this problem.<\/p>\n

David Shipley, head of New Brunswick security awareness training firm Beauceron Security<\/a>, said the confusion over BCC \u201cis literally the oldest privacy breach mistake in the book and one that every organization ends up having to deal with sooner or later.\u201d<\/p>\n

\u201cThe reality is, people are human and they make mistakes. It\u2019s really important that if you have critical communications with multiple individuals that the right tools are set up to ensure privacy obligations are met.<\/div>\n
<\/div>\n
\u201cThese kinds of incidents are a reminder that people often use their email platform as the hammer to solve every problem, when it can often cause much harm as good. For example, a good customer relationship management platform is a much safer way to do stakeholder communications.\u201d<\/div>\n

The post Hamilton employee mistakenly sends email blast with all names and addresses visible<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The carbon-based units are again responsible for a huge breach of security controls at an organization. This time it was an employee of the City of Hamilton, who hit an email \u2018send\u2019 button too fast on a message to 450 residents who had registered to vote by mail in the upcoming municipal election. Unfortunately, the<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[58,361,16],"tags":[402,683,275],"class_list":["post-29814","post","type-post","status-publish","format-standard","hentry","category-government-public-sector","category-privacy","category-security","tag-dotgov","tag-email","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=29814"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29814\/revisions"}],"predecessor-version":[{"id":29881,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29814\/revisions\/29881"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=29814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=29814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=29814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}