he information watchdog has warned businesses to limit their use of Bcc when they send emails.
The function, which allows a sender to send an email to several recipients without revealing who has received it, regularly leads to data breaches, the Information Commissioner’s Office said on Wednesday.
Bcc, which stands for blind carbon copy, can be used in some situations, the ICO said, but should be avoided whenever sending sensitive personal information.
It said that it is common for senders trying to Bcc others into an email to accidentally use the Cc field, which does not protect their email addresses from being seen by all recipients.
While Bcc can be a useful function, it’s not enough on its own to properly protect people’s personal information
“You may use this to copy in someone discretely or send a bulk email with a large mailing list,” the ICO said in new guidance.
“However, forgetting to use Bcc frequently leads to the accidental disclosure of all the recipients’ email addresses.”
It added: “You might use Bcc with other measures if the personal information you’re sharing isn’t sensitive and there’s little risk.
“For example, if you have general information, such as an internal newsletter, and you wish to avoid ‘Reply all’ responses.”
The ICO said incorrect use of Bcc is consistently one of the top-10 non-cyber breaches that it deals with. Nearly 1,000 such cases have been reported since 2019.
The education sector performs the worst here, followed by the health sector, local government, retail and the charity sector.
These breaches can cause real harm, especially where sensitive personal information is involved
Mihaela Jembei, ICO director of regulatory cyber, said: “Failure to use Bcc correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.
“While Bcc can be a useful function, it’s not enough on its own to properly protect people’s personal information.
“We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers.
“If organisations are sending any sensitive personal information electronically, they should use alternatives to Bcc, such as bulk email services, mail merge, or secure data transfer services.
“This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”