Thousands of residents in Bristol have received an email from the city’s council apologising for a data breach made as the department sought to reassure citizens of its compliant data handling.

The email explained that the email addresses of those caught up in the breach would be erased from council records.

The incident came about after citizens signing up or contributing to the Bristol Citizens’ Panel were inadvertently shown the emails of others involved, because those in the email loop were cc’d into the dialogue. Had the ‘bcc’ option been chosen instead, the emails would have remained hidden and no breach would have taken place.

The original email had been written to reassure Bristol residents that their email addresses would be erased from the council’s database, in compliance with the GDPR. The email had been sent to everyone who had participated in a survey to be a part of the Citizens’ Panel, and to those who had contributed to the forum in preceding months and years.

Prompt user complaints added fuel to the fire, as responders venting their disbelief clicked the “reply all” option to multiply the exposure level even further.

One opportunist used the blunder to invite everyone on the recipient list to a club meeting at Za Za Bazaars – an iconic restaurant in the west country capital.

In an apology, the council claimed that the email was sent out “in error”, but not before prospective members of the Citizens’ Panel and all potential contributors were able to see the email addresses and names of all the others who were linked into the platform.

The council letter read:

“We sincerely apologise for an email that was sent out in error earlier today.

“The email was sent to recipients with the email details in the ‘To:’ address field so these were visible to everyone who received the message.

“This was done in error and should not have happened. This has been reported to the city council’s data controller as a data breach,” it added.

“Your email address will be deleted from the Citizens’ Panel database and you will not be contacted again,” it continued.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/