How to Prevent Potential Privacy Breaches Because of Mistakenly Sending of Emails via Cc Instead of Bcc?

It's quite funny how even after so many years of using it, people still make mistakes when it comes to sending emails. One of the most common (and most dangerous) is putting recipients into Cc (Carbon copy) instead of Bcc (Blind carbon copy).

This can be a costly mistake as doing this constitutes a data breach. In this article, we'll explain the difference between Cc and Bcc, when to use one and when the other and how to avoid mixing these two when sending mass emails.

What are Carbon Copy and Blind Carbon Copy?

When you click "Compose" to start a new email message, in the upper-right corner of the message, next to the "From" field, you'll see the "Cc" and "Bcc" fields.

These are "Carbon copy" and "Blind carbon copy".

Now, you can use both when you want to send emails to multiple recipients (in addition to the main recipients (which will be in the "To" field). However, you need to be careful when you use Cc and Bcc as you can mistakenly send an email to the wrong person this way.

When you put someone in the Cc field, that person's email address will be visible to all other recipients. This is fine if all the recipients know each other already (for instance, they all work in the same company).

However, when sending group emails to multiple recipients who don't know each other, using the Bcc field is the right option as you don't want their personal information to be accidentally exposed (and yes, according to both GDPR (General Data Protection Regulation) and CCPA (California Consumer Protection Act), email addresses are PII (Personally Identifiable Information).

Essentially, if you use Cc instead of Bcc, all email addresses will be visible to all of your recipients.

Examples of Data Breaches When Sending Emails via Cc Instead of Bcc

Sending emails via Cc instead of the Bcc is a common email mistake that many of us make when sending emails to a large group of people.

In fact, many well-known organizations have made this Bcc blunder themselves.

For example, in January 2020, wireless speaker and home sounds systems company Sonos accidentally exposed 450 email addresses of their customers because they Cc'd instead of putting them in the Bcc field.

A spokesperson for Sonos said:

Earlier today, an email was sent in response to a number of customer inquiries that included email addresses. No further information was included. We have apologized to each customer affected by this error and have put in place processes to ensure this will not happen in the future.

Sonos was not the only one to make this email mistake, however.

Canadian transit organization, Metrolinx, which also operates GO Transit, PRESTO and UP Express, made an even bigger data breach when it put more than 2,000 email addresses of its riders in the Cc instead of the Bcc field.

The email, sent by the market research team at Metrolinx, was meant to get feedback from Metrolinx customers about their satisfaction with the compliance services office and even said:

If you participate in this survey, your responses will be kept anonymous and confidential.

Instead, however, the company inadvertently put at risk private information of 2,000+ of its users.

Human Error or More? How to Stop Sending Emails into the Wrong Hands and Prevent a Data Breach?

When are people making the most mistakes?

If you don't want your company getting in hot water because of some misdirected emails, or accidentally exposing your customer sensitive information, it's first important to know why misdirected emails happen in the first place and how to prevent this.

The most common scenarios of misdirected emails are:

  1. Using "To" or "Cc" field instead of the"Bcc" field
  2. Misspelling the recipient's email address. For example, [email protected] vs [email protected]
  3. Letting the email client "autocomplete" the email address of the recipient without checking
  4. Clicking "Reply All" when you want to reply only to the original sender

According to Tessian, 93% of people cited that they were feeling tired or stressed at some point during the workweek, with 46% reporting burnout at some point in their career.

These can easily lead to a lack of focus and make people more prone to making mistakes like sending an email to the wrong email address.

Fortunately, there are some things your company can do to minimize the risk of a data breach by sending a misdirected email:

  1. Make sure that you have all data protection processes in place before sending out a mass email
  2. Include data loss prevention tools into your information security, such as prompting the employee sending the emails that emailing certain files outside your organization is not advised (and should be Bcc'd instead of Cc'd)
  3. Use an email marketing tool that is compliant with your business when you need to send emails to multiple users
  4. Have a data breach response process in place for both before and after a data breach incident


Sending an email to one wrong recipient is a mistake that you can probably get away with a simple sorry. In fact, people get such messages in their inbox all the time. It's a simple human error.

However, if your organisation needs to send out emails to multiple addresses, then this email mistake can be quite costly and can put your company at risk of a data breach as well as expose all of the recipients' email addresses, then this becomes a big deal.

We hope that this post will help you improve your email security and data protection in your organisation and prevent revealing your customers' personal information.