Due to a human error by an employee of the municipality of Groningen, the e-mail addresses of 450 residents have been exposed. The person in question wanted to send an e-mail to participants in the 'Entrepreneurship from welfare' program. However, the e-mail addresses were not placed in the bcc field, but accidentally copied to the cc field.
So reports the city newspaper Sikkom (1).
To help Groningers on welfare out of their situation, last year the municipality launched the "Entrepreneurship from welfare" program. Everyone who had participated in the initiative last year received an e-mail from the municipality in early September. In it, the municipality wanted to inform participants about events, webinars and other relevant matters.
To access all relevant documents, the Groningen municipality had set up an online environment through Microsoft Teams. The municipality warned participants that their e-mail address was visible to others and that participation was therefore voluntary.
In doing so, things went badly wrong. Instead of putting the e-mail with this warning in the bcc field, the e-mail ended up in the cc field. 'Bcc' stands for blind carbon copy, 'cc' for carbon copy. The major difference between the two input fields is that the e-mail addresses in the bcc field are invisible. Mail addresses entered in cc are visible to all recipients.
Because an employee accidentally copied emails into the cc field instead of the bcc field, 450 email addresses ended up on the street. Technically speaking, this is a data breach. A spokesperson for the municipality confirms that the Autoriteit Persoonsgegevens has been notified.
To Sikkom, the spokesperson says the following. "It is true that the Municipality of Groningen sent an e-mail on September 2 with over 400 e-mail addresses in the 'ON field'. Yesterday [Monday, Sept. 5, ed.] an apology email was sent by the relevant department to the recipients, asking them to delete the email with visible email addresses."
He went on to say that the municipality's data protection officer (FG) has reported the matter to the Autoriteit Persoonsgegevens. The municipality will look at how it can further tighten its internal processes to prevent a recurrence in the future.
At the end of August, an employee of GGD IJsselland made the same mistake (2). He wanted to send a list of personal data to a colleague. However, the document ended up with someone outside the organization. Thus, personal data of 148 Dutch citizens ended up with the wrong person.
The recipient promised to delete the list of personal data. GGD IJsselland promised to take extra precautions to ensure it does not happen again in the future.
In July 2021, things went wrong at GGD Noord- en Oost-Gelderland after a partygoer visited a discotheque in Groenlo while infected with the coronavirus. The regional GGD department then launched source and contact investigations. An employee sent an e-mail to hundreds of visitors, but forgot to shield the e-mail addresses (3). Instead of putting the e-mail addresses in the bcc field, they were included in the cc field. Thus, the e-mail addresses were visible to everyone. In total this concerned 460 visitors whose e-mail addresses accidentally ended up on the street.
sikkom.nl/data-leak-at-municipality-groningen-mail-addresses-of-hundreds-of-townjers-who-are-in-assistance-sitting-laying-on-street/
https://www.vpngids.nl/nieuws/ggd-ijsselland-lekt-per-ongeluk-gegevens-148-nederlanders/
https://www.vpngids.nl/nieuws/opnieuw-datalek-bij-ggd-gegevens-460-man-op-straat/
