Published: 16th November 2016

Yes, we’ve all done it. We’ve done it with WhatsApp, we’ve done it with SMS and, yes, we’ve done it with email, and, worst, we’ve done it with work email.


In a hurry to get an email sent, the wrong recipient gets selected from the helpful drop-down on the address bar. Sensitive information goes out to the wrong person and, on occasion, the ramifications are far worse than simply embarrassing.
This is a common problem and one often overlooked when addressing a firm’s information security. Email has become by far the most common means of workplace communication and those helpful, time-saving features of email applications, the autofill suggestions, are a very real source of information leakage; IT is often more preoccupied with bad actors such as faceless hackers or rogue employees than it is with an employee’s simple mistake.

More Than Just an Embarrassing Error

A recent think-piece by one security firm operating in this space puts the problem into perspective. CheckRecipient is a firm whose specialisation is email safety, and its white paper, Human Error and Misaddressed Emails: Can Artificial Intelligence Save The Day? notes various sources indicating that “misdelivery” is a term on the rise.

The Information Commissioner’s Office (ICO) places just under two-thirds of data security incidents reported to it this year as being down to human error of which 9% were “data emailed to the wrong recipient”, according to the results of a 2016 Freedom of Information request made to the ICO by Egress Software Technologies.

Verizon, in 2015, reported similar numbers; almost a third of its “Miscellaneous errors” were due to “Misdelivery”.

The concept of misdelivery is a little wider than one might think at first glance. An email addressed to the wrong person is one thing, but an email correctly delivered but carrying additional, potentially damaging information, can be quite another.

Chelsea and Westminster Hospital NHS Foundation Trust fined was £180,000 in May this year for revealing more than 700 users of an HIV service by erroneously copy pasting the full address list into the ‘to’ field instead of the ‘bcc’ field; 730 of the 781 email addresses contained peoples’ full names.

More recently, last week on 14th November, the NHS had its email system brought to its knees when a test email was erroneously sent to all NHS email recipients – estimates varying between 840,000 and 1.2 million recipients. Over 100 users then chose to “reply to all” resulting in a self-created denial of service email storm which, while not exposing sensitive information, caused a massive communication slowdown and a consequent potential risk to patients.

Risk Management and Mitigation by Software

CheckRecipient’s approach to this problem is new and interesting. They have taken a machine learning and artificial intelligence (AI) approach, looking for patterns within users’ email habits and flagging anomalies; given a chain of emails addressed to John Smith, it will flag the mistaken replacement of John Smith’s email address with that of John Doe. The system will also detect potentially erroneous cc entries and, based on a history of communication with any particular addressee, can flag unexpected combinations of content and recipient.

Addressing almost 800 email recipients in the ‘to’ field is likely to be just the sort of anomaly the system would pick up.

It is, of course, not a silver bullet – a system like this can only make suggestions based on existing patterns, just as a human examiner would. It won’t necessarily be triggered by a one-off email to a new addressee, but it represents the narrowing of a significant hole in most security thinking.

Data breaches will become more important and of particular interest shortly, with the EU General Data Protection Regulation (GDPR) coming into force in 2018. GDPR will enforce mandatory notification within 72 hours for breaches where sensitive personal information is put at risk, with fines of up to 4% of annual worldwide turnover levied on firms that are found negligent. (Brexit negotiations cannot be completed before UK businesses and other UK data users fall within its scope.)
Regulated firms will also need to be aware of their responsibilities to notify the FCA and PRA under Chapter 15 of the Supervision Manual (SUP 15).

It is often estimated that 80% of information security issues could be prevented by the implementation of straightforward good practice. Putting in place a gatekeeper on outgoing mail would seem a sensible precaution.

Actions Required

It would appear that quite apart from the risk of e-mail misdelivery itself, the increase in the volume of e-mail and the increase in the pace of business is amplifying that risk further. It would appear too, that many businesses and data users are as yet relatively uninformed and unprepared for the more onerous obligations and severe penalties that could arise from e-mail misdelivery under the GDPR.

Action 1

Firms and data users must ensure now that they understand the requirements of and the implications arising from the GDPR and then plan how to manage and mitigate the risks arising.

Action 2

Firms and other data users must find a way to create a short pause for e-mail users to be able where possible to make sure they meant to “reply all” or that the recipient selected is the one intended and not a case of “mis-selection in haste”. Google mail implements an up-to-30 second “Undo” feature giving users a chance to retract an incorrectly addressed or inappropriate email.

As it will always be difficult to slow down or insert a manual “pause for thought” into an electronic system, then it is sensible to consider an electronic approach and consider whether e-mail screening software can be used to manage or mitigate the problem of e-mail misdelivery.

This article has elements republished with CheckRecipient’s consent. Please see original item at

Print this Page