On July 6 the City of Anna sent out six separate emails to water customers about a change in the electronic billing platform, but customers also got an unwelcome surprise Visible in the email was also 499 other customer’s email addresses.
In all, 3,000 customers had their emails visible because of the error.
Anna City Manager Philip Sanders said six emails were sent out to 500 customers each because that is the maximum amount of customers that can be sent to one email in Microsoft Outlook. Sanders said what happened was a city employee sent out the emails to customers using the “To” field in Outlook instead of the blind carbon copy (Bcc) field.
The difference is that Bcc recipients cannot see the email address of any other recipients.
“Inadvertently all of the email address were placed in the ‘To’ line,” Sanders said. “And so they were visible to everybody who received the email. It was just an error on some part of our staff. As soon as we recognized it occurred, we drafted an apology and sent it out to all the customers apologizing for the inadvertent error.”
No financial information of customers was compromised, he said. The original emails that were sent to customers were clarifying changes to the eCommerce platform. Starting in June payments through the platform began going through PayPal.
Bryan McAninch, a cyber security consultant from Frisco, said the biggest threat to email security is phishing scams.
Those scams work by sending out bait emails to people disguised as a trustworthy entity in order to gain sensitive information like a credit card or bank account number, names or addresses.
McAninch said another important aspect to this email error is that people who use those email address all use the same online electronic payment system.
A good phishing scammer who got their hands on the emails would pose as the Anna Water Department, City, or Utility Department and claim a bill is overdue with a link to pay it attached. That link would then send the victim to a fake website where they could input their payment.
“It’s extremely difficult to gain authenticity in emails,” McAninch said.
For people worried about their privacy, he suggests creating a new email address.