NHS Digital scored a classic Mail All goal by sending not one, not two, not three, but four emails regarding an infosec information breakfast, each time copying the entire invitation list in messages.
The first email sent yesterday morning thanked participants for “signing up for NHS Digital: Let’s Talk Cyber’s Full Digital Breakfast, scheduled for Thursday, October 21, 2021, 8am to 9am.”
Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, “along with guest speakers, will have a conversation about ongoing protection and how an increasingly digitized world means we need to be super vigilant and cyber-secure, where cyber hygiene is essential to protect patients. ”
According to sources in the chain of emails, NHS Digital was sending the emails in an attempt to change the details of the invitation. The fourth was a “again with each person copied” cancellation, one health care technician told us.
“They subsequently emailed a BCC list that simply repeats that the meeting is in progress but does not acknowledge the data breach.
“Oh and it keeps doing the trick as some people did the usual ‘Reply All’ which is a frustration for anyone who didn’t want their emails shared or their inboxes getting clogged. . “
The event, which is scheduled for tomorrow morning, is open to anyone wishing to register. People in the email chain estimated that between 100 and 200 email addresses were shared on the attendee list. It included a mix of addresses from individuals and private companies.
As one of the registrants told us, the irony was not lost on them given the subject of the breakfast briefing. “So not that security conscious then.”
As email errors go on, this ranks pretty low in terms of severity – just think of this story, or this one – but it’s more than a little embarrassing.
A spokesperson for NHS Digital said of the issue: “We take our responsibility to protect personal data very seriously. It was an invitation to a closed event sent to people who had confirmed they wanted attend.
“As soon as we became aware of the concerns, we took immediate corrective action, including reporting the incident for further investigation and removing the original invitation.
“We are looking to continually improve our processes and will make sure to provide another way for delegates to attend our events in the future.”
The Reg also asked the Information Commissioner’s office if anyone had reported the skid, and he said he had not yet received a report. A spokesperson said: “Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it poses a risk to the rights and freedoms of individuals.” ®