BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts
Ad blocker Ghostery, UK councils, vitamin sellers all in the blabtastic mix
Amid the chaos of new European data protection rules coming into force at the end of last week, organisations are apparently struggling to grasp even the most basic of technical challenges, sending out non-blinded emails to their users.
Topping the irony charts is ad-blocker Ghostery, which sent users an email with more than 500 addresses in the "To" field, the text of which assured them that the biz was on top of the General Data Protection Regulation and had put stringent measures in place to protect their data.
"We at Ghostery hold ourselves to a high standard when it comes to users' privacy," stated the mass email – sent to El Reg by a reader who described the company "a shower of pillocks".
Other users seized the opportunity to offer their services, with one Reg reader suggesting that, as a bus driver, they might be better suited to a role at the biz.
"If a bus driver knows to avoid CC and use BCC instead while you don't, I would respectfully suggest that you are in the wrong job," the user said in an email addressed to Ghostery. "May I suggest you resign immediately and that Ghostery should raise their standards by employing former bus drivers in future?"
The company has since apologised for the error, saying that it had recently stopped using a third-party email automation platform and was managing emails in its own system in a bid to be more secure.
“Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users,” it said.
"We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again."
Seriously, though, those fields are close together
But Ghostery wasn't the only company foiled by the most basic of technical issues when trying to brag about their newfound interest in data protection.
Nutrition biz Vitl – which pushes "tailor-made" diet and liefstyle plans – also experienced a technical hitch, sending out an email to multiple users rather than BCCing them.
The firm apologised to the "small number" of affected users, although it tried to do so without trumpeting it – an idea that infuriated users, with one posting the apology note in full:
Well nothing that couldn’t have been said openly on Twitter. “Small number” is a cop out, I’ve seen a few people mentioning it on Twitter, and no matter how small, it is serious! And what point is there in me contacting them, the damage has been done. pic.twitter.com/9eY43Rh1m5— Chris Kyle (@ChrisPKyle) May 24, 2018
Received a GDPR email from my old university computing society. They didn't BCC people when sending it out or send it as individual emails. Received 1000 ex/current member emails. #ffs #gdpr #amateurhour— Mike P (@mike_palfrey) May 24, 2018
One of our suppliers just sent us an email, addressed to all of their customers, about GDPR. They forgot to BCC all 720 email addresses. pic.twitter.com/xnQYsmW2c8— Pete (@Kibbled) May 23, 2018
Although some decided not to name and shame the smaller firms that had made the error – the bigger organisations didn’t get off so lightly.
That includes the New York Times, which – according to multiple Twitter users – accidentally cc'd a number of freelancers and vendors into its GDPR notice, unleashing upon the unwitting recipients a flurry of reply-all emails to add to the existing pile of GDPR missives.
However, showing that there's nearly always a silver lining if you look hard enough, some saw this sort of mistake as a possible networking opportunity.
Vendor, not customers. Essentially all the freelancers. The list is now organizing drinks in some cities. 😀 I still haven’t replied all. I should, right? Right? https://t.co/pxHOQhfc39— zeynep tufekci (@zeynep) May 26, 2018
The foul-ups follow a series of US websites – including newspapers owned by Tronc – shutting down services for EU users on Friday, in an attempt to dodge the much-publicised – and overblown – megabucks fines touted by many ahead of the enforcement date. ®
Sponsored: Becoming a Pragmatic Security Leader