Bcc for Email and Bcc Incidents Explained

Richard Bradley Headshot
Richard Bradley
GDPR Team Manager
25th March 2022

Electronic mail (or email) is an integral part of how businesses function and has been a fundamental communication tool across all industries. Email communication has been used to interact instantly with employees and customers, as well as to share important information to the wider public. Emails are also effective as they can be used to connect two or more people by allowing businesses to send messages en masse to a targeted list of contacts quickly and efficiently.

Sending bulk emails allows individuals to send copies of an email to multiple people to keep them in the loop on a project and give them visibility over a subject or an event. However, there are also pitfalls that can occur when sending emails to more than one person, such as revealing sensitive business-related information to unintended recipients.

Your conventional email client has three core sections for adding contacts when composing an email – To, Cc, and Bcc. Each affects who receives and has visibility of an email. In this blog, we discuss the differences between Cc and Bcc, how to avoid using the Bcc function incorrectly, and who to contact in case sensitive data is sent to the wrong person and the confidentiality of email recipient is breached.

There are pitfalls that can occur when sending emails to more than one person.

What is Bcc?

Bcc (Blind Carbon Copy) is a way of sending copies of emails to someone other than those listed as primary recipients. Bcc recipients are 'blind' to the rest of the parties in the email chain. The reasons for adding someone as a Bcc is to maintain their privacy when sending an email. Bcc keeps recipients invisible from the rest of the contacts in the email and for this reason, can also be useful when sending an email to large groups of people to protect their identities from each other.

Recipients listed as Cc (Carbon Copy) are visible to those both Cc'd and Bcc'd. Meaning when someone is Cc'd into an email, the Cc list is visible to all other recipients, unlike when individuals are Bcc'd into an email.


Don't panic! How to mitigate risks when using Bcc

It's understandable to go into a blind panic when you realise you've just sent an email to 50 people, when you should've used Bcc. To mitigate risk when sending emails using Bcc, there are a few steps that can be taken to ensure the correct recipients receive correspondence and reduce the risk of employees misusing Bcc.

  • Use mailing services like Mailchimp when sending bulk emails or newsletters. It's far more efficient to create a defined contact list of intended recipients of emails, rather than entering a list of individual email addresses that increases the risk of sending business-related information to the wrong people.
  • Configure your email client to warn your staff when they're about to send emails externally or to large numbers of people. A forewarning before sending an email could be the timely prompt users need to double-check the content and recipients of the email.
  • Only enter email addresses at the last step. Depending on the email client, users can disable auto-complete functions to ensure email addresses do not auto-fill To, Cc or Bcc fields. This reduces the risk of accidentally sending something out to the wrong person.
  • Educate employees on the risks of using To, Cc, and Bcc when composing emails to reduce the threat of a data breach or violating the GDPR.
A women screaming in panic

If things have gone wrong when sending an email, the first thing you'll need to do is to try to contain and mitigate the issue. You should consider the following if an incident occurs where an email puts contacts and personal information at risk of exposure:

  1. What are the implications for the recipients knowing each other's email addresses?
  2. Do all individuals affected suffer the same level of risk as a result of the breach?
  3. Is there anything you can do to put things right for individuals?
  4. Be honest about what happened to those affected by the email. Consider reaching out to the recipients impacted and be clear about their rights.

You can also recall an email. If you and the recipient are both using Microsoft Exchange or Microsoft 365, and are both on the same domain (e.g., @outlook.com, @Bulletproof.co.uk, etc.), and they have yet to open the email, it can be recalled or replaced. A few qualifiers there, but it could save you a headache!

If things have gone wrong when sending an email, the first thing you need to do is try to contain and mitigate the issue.

Who to contact

If it is likely that there is a risk to the rights of these recipients due to the incorrect use of Bcc and sensitive data has been shared with the wrong people, you will need to consider informing the Information Commissioner's Office (ICO) about the incident. By completing a self-assessment, you can establish if a specific breach needs to be reported to the ICO. You have 72 hours to report a personal data breach, such as sending an email to the wrong person, either through spotting it yourself or being told by a recipient. Reporting such an incident to the ICO and showing that you're taking actions to mitigate a similar breach from happening again, reduces the risk of the ICO investigating after a data subject files a complaint that could lead to your organisation receiving a fine.


A data breach graphic with a padlock

Case Study: Data Breach – HIV Scotland

In 2021, HIV Scotland, a charity known for the successful advocacy for people living with and at risk of HIV, accidentally used the Cc feature when sending an email instead of Bcc, which revealed the email addresses of all the intended recipients to all that received the email. HIV Scotland was fined £10,000 for failing to Bcc the 105 recipients of the email. 65 of those email addresses identified people by name.

It was found upon investigation that the charity had a lack of policies and staff training, and even though it had procured a bulk mailing tool, employees were continuing to use the much less secure methods of Bcc'ing on large emails 7 months later. This case demonstrates a lack of care taken by HIV Scotland in addressing the risks that they ironically said they recognised. It also proves that with effective staff training, errors such as this can be avoided, and personal data can be protected with the correct technical and organisational measures in place.

Key takeaways

  • If a bulk email tool is procured, engage your staff to ensure they understand why it's important to use it over less secure forms of sending emails.
  • When composing and sending emails, be certain that staff understand the potential risks imposed by the types of data they're handling.
  • In certain circumstances, an email address leak can be considered high risk to the rights and freedoms of the people involved.
  • Provide training for identifying a breach and implement a procedure for knowing what to do in the case of a breach.
Richard Bradley Headshot

Meet the author

Richard Bradley GDPR Team Manager

Richard is a seasoned senior GDPR and data protecton consultant who uses his experience in GDPR compliance to write with passion and insight on GDPR and data protection. Heading up Bulletproof's GDPR team, he makes sure that our services and individual data protection consultants are all at the top of their game.

Meet your GDPR & data protection obligations

Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.

Learn more

Related resources


Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.