Security

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

Developers find out who else is testing HMRC's tools

By Rebecca Hill

33 SHARE

Almost 1,500 software developers registered to use the UK taxman's sandbox or API platform have had their email addresses blabbed in a mass mailing.

The snafu happened on Friday afternoon, when an email about the HMRC Developer Hub was accidentally sent with users' addresses visible in the CC field.

The email, with the subject line "API Platform update", was sent by the software developer support team at 1604 GMT.

"Please note the HMRC Developer Hub will remain shuttered over the weekend to allow us to continue testing the service. The Developer Sandbox for testing remains available. The API Platform is working as expected," the seemingly innocent email stated.

However, about an hour later, someone must have pointed out the mistake, and the team issued a recall for the message, which meant the same group received another email with all 1,455 or so email addresses cc'd in.

At 1809, a third email – this time blind-copying in the list – was sent to apologise for the breach.

"HMRC's policy is always to protect customer data, and we take this responsibility very seriously," the email said.

"Unfortunately, in a recent email, a mistake was made and your email address may have been shared with other recipients.

"I wish to apologise for this error and for any distress this may have caused."

As the Reg reader who alerted us to the cock-up observed, this kind of error is easily made, especially when the time is ticking away to beer o'clock.

An HMRC spokesperson said: "HMRC takes the protection of customer data extremely seriously and has a strong security culture.

"We can confirm that this matter was immediately reported through our internal incident reporting process and will be fully reviewed. We have contacted the software developers affected to alert them and to apologise." ®

Sign up to our NewsletterGet IT in your inbox daily

33 Comments

More from The Register

TalkTalk ups the (dis)satisfaction ante as UK folk wake up to borked email

New approach to dealing with complaints working wonders

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

Breach identified potential victims taking part in probe

'Every little helps'... unless you want email: Tesco to kill free service

Maintained for 3 years since Brit supermarket quit the ISP game

Boffin botheration as IET lifts axe on 20-year-old email alias service

IET phone home. Just don't email...

Finally: Historic Eudora email code goes open source

'Member that innocent, pre-Zuckerberg time?

Priceless: The cost to BT for bothering you with spam? 1.5 UK pence per email

Incumbent telco fined £77k for sending 5 million of the things

Law forcing Feds to get warrants for email slurping is sneaked into US military budget

House slips privacy rules into Senate's files, crosses fingers

Former FBI boss Comey used private email for official business – DoJ

'I did not have an unclassified FBI connection at home that worked'

Yar, thar she blows: Corp-cash-stealing email whaling attacks now a $12.5bn industry

Business accounts worth their weight in gold to scammers

Will the defendant please rise? Utah State Bar hunts for sender of topless email

Mormons miffed by mammary missive