Security

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

Developers find out who else is testing HMRC's tools

By Rebecca Hill

33 SHARE

Almost 1,500 software developers registered to use the UK taxman's sandbox or API platform have had their email addresses blabbed in a mass mailing.

The snafu happened on Friday afternoon, when an email about the HMRC Developer Hub was accidentally sent with users' addresses visible in the CC field.

The email, with the subject line "API Platform update", was sent by the software developer support team at 1604 GMT.

"Please note the HMRC Developer Hub will remain shuttered over the weekend to allow us to continue testing the service. The Developer Sandbox for testing remains available. The API Platform is working as expected," the seemingly innocent email stated.

However, about an hour later, someone must have pointed out the mistake, and the team issued a recall for the message, which meant the same group received another email with all 1,455 or so email addresses cc'd in.

At 1809, a third email – this time blind-copying in the list – was sent to apologise for the breach.

"HMRC's policy is always to protect customer data, and we take this responsibility very seriously," the email said.

"Unfortunately, in a recent email, a mistake was made and your email address may have been shared with other recipients.

"I wish to apologise for this error and for any distress this may have caused."

As the Reg reader who alerted us to the cock-up observed, this kind of error is easily made, especially when the time is ticking away to beer o'clock.

An HMRC spokesperson said: "HMRC takes the protection of customer data extremely seriously and has a strong security culture.

"We can confirm that this matter was immediately reported through our internal incident reporting process and will be fully reviewed. We have contacted the software developers affected to alert them and to apologise." ®

Sign up to our NewsletterGet IT in your inbox daily

33 Comments

More from The Register

Welcome! Mimecast finds interesting door policies on email filters

Microsoft and Proofpoint servers ushered in 15,656 malware attachments

Footie fans calling for a red card over West Ham United CC email blunder

If you're after an away ticket, now you know who to call

US State Department confirms: Unclassified staff email boxes hacked

Pompeo's peeps get free credit monitoring after some inboxes cracked open, data swiped

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Who, Me? Staffer learns hard way: boss jokes don't mix well with infosec demos

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Sendgrid blurts out OWN customers' email addresses with no help from hackers

Along came some spiders and saw the unsubscribers...

TalkTalk ups the (dis)satisfaction ante as UK folk wake up to borked email

New approach to dealing with complaints working wonders

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

Breach identified potential victims taking part in probe

Email security crisis... What email security crisis?

Let them eat phish

Princely five years in US big house for Nigerian biz email scammer

Bloke copped to $25m spear-phishing shenanigans