Micropayments company Coil has emailed users its new privacy policy but, in error, put hundreds of their users’ email addresses in the “To:” field – breaching their privacy.
Coil has become aware of the incident and sent an apology email with a subject line “Please forgive us”.
More on that story here: https://www.theregister.com/2020/11/17/coil_email_data_breach/
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
I think security risks stemming from this particular incident are from low to zero. Emails, abstracted from other PII that was reportedly not affected in any manner, are of no value for cybercriminals who enjoy billions of compromised records with full stacks of highly sensitive data being accessible on the Dark Web. Moreover, emails can frequently be found on Google or even at corporate websites. Furthermore, given that the emails are only disclosed among a limited number of the affected users, it is unlikely any regulators will have strong enough interest to intervene and are more likely to issue a warning at best. Likewise, victims will highly unlikely have an actionable legal claim under the circumstances, even less likely to monetary compensation.
Obviously, the surrounding context of this regrettable incident is pretty unusual and embarrassing but no one is immune from human error. Probably, many of the affected people were working or supporting an organization that had committed a similar mistake in the past: there is nothing you can do to entirely eliminate the human factor. I do understand the rage of the affected users, however, any propagation of the disclosed emails to third parties or share them in social networks may trigger legal ramifications for them. I think the company and the affected users will find a mutually acceptable settlement soon and turn the page.