AINEWS
Plymouth exposed 500 home-schooling families' emails. York showed the fix is overdue.
A second UK council in roughly a week used To/Cc instead of BCC on a bulk message, leaving recipient addresses visible to each other.
A second UK council in roughly a week used To/Cc instead of BCC on a bulk message, leaving recipient addresses visible to each other.
Plymouth City Council's Elective Home Education team recently told roughly 500 home-schooling families about an upcoming legislative change, then placed all of their email addresses in the To and Cc fields of the same message, according to The Register's reporting on the incident. The blind-carbon-copy field exists for exactly this kind of mass mail. It was not used. The council has apologized, asked recipients to delete the message, and filed a report with the Information Commissioner's Office.
The "around 500" figure and the ICO framing come from The Register's reporting; Plymouth has not on-record confirmed the detail to the outlet, and the council did not respond to The Register's request for comment at the time of publication. That silence is itself part of the story. A council that handles sensitive family data and faces an active ICO matter has chosen not to explain the failure or the fix to the press.
What lifts the Plymouth disclosure above another local-government embarrassment is the timing. Roughly one week earlier, City of York Council disclosed an almost identical blunder, putting the email addresses of hundreds of disabled residents into a shared To/Cc line on a bulk message. Two UK councils, two different vulnerable groups, the same keystroke. This is no longer a one-off. It is a recurring failure mode in how local-government teams compose bulk mail.
A Register reader who contacted the paper described the follow-up communications after the Plymouth leak as "a bit of a mess," with later messages causing further confusion among recipients. That texture points to a process failure: the original mistake is compounded by the cleanup, because there is no playbook for telling 500 families their addresses have been exposed to each other.
The harm here is reputational rather than catastrophic, and Plymouth's own statement that no child-specific data was included in the leaked addresses is on the record and should be reported, not buried. The exposure is narrower than feared but still real: home-schooling families, including some who have chosen that route for sensitive personal reasons, can now see one another's addresses, infer who else is on the list, and be visible to the rest. For a subset of recipients that is not a minor consequence.
The fix is unglamorous and overdue. Mandatory BCC-only mailing policies for any distribution above a small internal threshold, with the To/Cc fields disabled or warned in council email clients for large sends. A pre-send review step for any message that touches an external list, signed off by someone other than the author. List-hygiene discipline: the home-schooling list should not be sitting in a personal contacts folder, ready to be misaddressed in a hurry. And a published incident-response template for the inevitable next BCC failure, so the cleanup is at least as disciplined as the original send was not.
York needed those guardrails a week ago. Plymouth needed them yesterday. The next council that tries to email a vulnerable group at scale will need them too, and the only durable way to break the cadence is to remove the ability to send a To/Cc blast in the first place.