Premiership football club West Ham were in the news last week and not just for their predictable 3-1 defeat by Arsenal on Saturday. Fans took to social media to complain that their personal data had been shared by the club. West Ham sent an email confirming season ticket membership to hundreds of fans, but failed to use the Bcc function instead of the Cc function and thus revealed the email addresses of all the fans on that mailing list.

The Difference Between Cc and Bcc

 ‘Cc’ stands for ‘Carbon Copy’ – an allusion to the days of typewriting letters onto multi-ply carbon paper to make three or four exact copies on thin yellow, pink and green paper – and is the function you choose when sending an email and copying someone in. ‘Bcc’ stands for ‘Blind Carbon Copy’. Choosing this function sends out exact copies of the email but hides the addresses of all recipients to everyone except the sender. 

When sending out group emails to multiple people, it is essential for organisations to use the Bcc function if they want to avoid making the mistake that West Ham made.

ICO Data Breach

The Information Commissioner’s Office acknowledges that this type of error constitutes a data breach. In fact, the ICO specifies the precise number of this particular type of breach in its quarterly reports. Failure to use Bcc when sending email is consistently the fifth most common type of data breach. 

When the West Ham data breach story broke on social media – the football twitterati were quick to make the joke that nobody would want to be outed as a West Ham supporter ¬– several newspapers were quick to pick up the story. The Telegraph reported on Thursday 23 August that:

“West Ham have apologised to the supporters involved and will report the incident to the ICO on Friday… The ICO said it was unaware of any breach report.”

We thought we’d see if there had been any movement on the story since then. Here’s a screenshot our blogger’s webchat with an ICO representative. The opening question was 'Have West Ham reported their data breach to the ICO yet?'

West Ham have confessed their sin and the ICO are clearly now investigating the matter, but they are keen not to give too much away. The maximum fine for a data breach is 4% of turnover. For a Premiership club of West Ham's stature that would be an enormous sum - although it is unlikely that the ICO would use their full powers. We'll keep an eye on this case and let you know if charges are brought against the club.

At Priviness, we offer courses suited to people at all levels of an organisation. Whether it was a lowly intern or a senior manager who was responsible for sending out the West Ham emails and causing the data breach, the important factor here is how avoidable the whole fiasco would have been if the club had invested in proper training in the fundamentals of GDPR compliance.

For more information about our data law compliance training, call us on 0203 2878 243 or email info@priviness.eu.

Back To all catagories