Back

City of York Council Data Breach Exposes Disabled Residents' Email Addresses

Severity: Medium (Score: 51.1)

Sources: Theregister, www.yorkpress.co.uk

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: city, york, council, investigation, blue, badge, email

Severity indicators: breach, data breach

Summary

A data breach at City of York Council revealed the email addresses of hundreds of Blue Badge holders. The breach occurred when emails were sent without using the blind carbon copy (BCC) function, allowing recipients to see each other's email addresses. This incident has raised concerns among affected individuals, as it disclosed their status as disabled residents. The council has initiated an investigation and is assessing the potential impact on those affected. Affected residents have been advised to delete the emails and remain vigilant for suspicious messages. The council is also evaluating whether the breach requires notification to the Information Commissioner's Office within the statutory timeframe. The investigation is ongoing, and the council has committed to improving its data protection measures. Key Points: • City of York Council mistakenly exposed email addresses of hundreds of Blue Badge holders. • The breach occurred due to emails sent without using the BCC function. • Affected individuals have been advised to delete emails and stay alert for suspicious messages.

Detailed Analysis

**Impact** Hundreds of disabled residents in the City of York were affected when their email addresses were exposed through a council mailing list. The breach revealed recipients as Blue Badge holders, disclosing sensitive information about their disability status. This incident impacts the local government sector and raises privacy concerns for the individuals involved, particularly given the personal nature of the data. The council is still determining the exact number of affected individuals. **Technical Details** The breach resulted from emails sent without using the blind carbon copy (BCC) function, exposing all recipients' email addresses to each other. No malware, CVEs, or external attack vectors were involved; the incident appears to be a procedural or human error during email distribution. The council issued a follow-up email requesting deletion of the messages and is conducting a risk assessment per Information Commissioner’s Office (ICO) guidance. No indicators of compromise (IOCs) were reported. **Recommended Response** Organizations should review and enforce strict email handling procedures, ensuring BCC is used for mass communications involving sensitive groups. Conduct staff training on data privacy and email security best practices. Monitor for phishing attempts targeting affected individuals following the breach. The City of York Council should complete its risk assessment and notify affected parties with clear guidance on mitigating potential follow-on risks.

Source articles (2)

  • Council in UK's City of York outs hundreds of disabled residents with a single email blunder — Theregister · 2026-06-05
    A City of York Council email mishap exposed the email addresses of hundreds of Blue Badge holders in the ancient Viking capital, inadvertently revealing their status as disabled residents and triggeri…
  • 26158504.city York Council Investigation Blue Badge Data Breach — www.yorkpress.co.uk · 2026-06-05
    AN investigation has been launched after a list of blue badge holders was mistakenly emailed out by City of York Council. City of York Council have launched a full investigation after a data breach th…

Timeline

  • 2026-05-28 — Emails sent revealing Blue Badge holders' email addresses: City of York Council sent multiple emails without BCC, exposing recipients' email addresses to each other.
  • 2026-05-28 — Fourth email sent acknowledging the error: The council sent a follow-up email asking recipients to delete previous emails and remain vigilant for suspicious messages.
  • 2026-06-05 — Investigation launched by City of York Council: The council confirmed it is investigating the data breach and assessing its impact on affected individuals.

Related entities

  • Data Breach (Attack Type)
  • City Of York Council (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed