“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.
“While BCC can be a useful function, it’s not enough on its own to properly protect people’s personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.”

                                                                                                                                             Mihaela Jembei, ICO Director of Regulatory Cyber


The ICO has recently issued a warning over using BCC as well as some guidance over best practices when sending Bulk emails. Their advice is to use alternatives to BCC, such as Mailchimp, Hubspot, Dot Digital etc.., and these are great for a number of reasons both for data protection as well as better marketing analytics. However not every organisation sends enough bulk emails to justify investment in these inboxes or simply cannot afford to invest altogether. BCC is perfectly safe to use as long as it is used correctly and not overlooked. Below we explore the potential impacts of improper use of BCC as well as ways in which companies can make sure that employees don’t make mistakes when using BCC.


The Importance of Using BCC Correctly:

Privacy Breaches:

  • Recipient Exposure: When email addresses are openly shared in the CC (Carbon Copy) field, recipients can see each other’s email addresses. This can lead to unintended privacy breaches, as some individuals may not want their contact information disclosed to others.
  • Sensitive Information: Sensitive information may be included in the email content. If BCC is not used properly, this information can be exposed to unintended recipients, potentially resulting in data leaks and privacy violations.

Increased Spam and Phishing Risk:

  • Data Harvesting: Cybercriminals often harvest email addresses from publicly visible sources, including emails sent with CC. When email addresses are exposed, it becomes easier for malicious actors to collect them for spam or phishing campaigns.
  • Phishing Attacks: By knowing who received a particular email, cybercriminals can craft convincing phishing emails that appear to come from a trusted source. This can result in recipients falling victim to phishing attacks, compromising their security and potentially revealing sensitive information.

Legal and Regulatory Consequences:

  • Data Protection Laws: Many countries and regions have strict data protection regulations (e.g., GDPR in Europe, HIPAA in the United States) that require organisations to safeguard personal data, including email addresses. Failing to use BCC correctly may lead to non-compliance with these regulations, potentially resulting in legal consequences and substantial fines.
  • Client and Customer Trust: Mishandling email addresses can erode trust and confidence in an organisation’s commitment to data security and privacy. This can damage client and customer relationships and harm a company’s reputation.

Unintended Disclosure:

  • Sensitive Content: Sometimes, email conversations contain confidential or sensitive information that should be kept between a limited group of individuals. Improper use of CC instead of BCC can result in this content being inadvertently disclosed to unintended recipients, causing embarrassment, disputes, or even legal issues.
  • Impression on Recipients: In professional settings, not using BCC correctly can create a negative impression. It may suggest a lack of attention to detail, respect for privacy, or professionalism in communication.


Case Study

HIV Scotland, a charity focused on HIV awareness, prevention, and support, was fined £10,000 by the Information Commissioner’s Office (ICO) for a data breach. The breach occurred when HIV Scotland sent an email to 105 individuals, including patient advocates representing people living with HIV in Scotland. Unfortunately, all recipients could see each other’s email addresses, and 65 of these addresses also revealed individuals’ names. The ICO’s investigation identified several issues with the charity’s email practices, including insufficient staff training, improper methods for sending bulk emails, and a weak data protection policy. Despite acknowledging the risks and implementing a more secure system for bulk messaging, HIV Scotland continued to use a less secure method seven months later. The incident highlights the importance for organisations, especially those working with sensitive data, to prioritise strong data protection policies and practices. This helps prevent avoidable breaches and safeguards people’s privacy.


Mitigate BCC Mistakes Through:

1 Education and Training:

  • Provide comprehensive staff training on the importance of BCC.
  • Ensure that everyone understands the consequences of improper BCC usage.

2 Clear Policies:

  • Establish and communicate email communication policies with BCC guidelines.
  • Make policies easily accessible for quick reference.

3 Use Email Templates:

  • Create email templates with correct BCC setup for common communications.
  • Encourage the use of templates to minimise BCC errors.

4 Double-Check Recipient Lists:

  • Before sending, verify that email addresses are correctly placed in To, CC, or BCC fields.
  • Confirm the use of BCC when necessary to protect recipient privacy.

5 Regular Audits and Reporting:

  • Conduct periodic audits of email communications.
  • Encourage the reporting of improper BCC usage and establish feedback mechanisms.