Email Sent to the Wrong Recipient: The Most Common Data Breach in Companies
When we think about cybersecurity, we often imagine ransomware attacks or hackers.
However, in reality, many security incidents within organizations are caused by… human error.
However, in reality, many security incidents within organizations are caused by… human error.
One of the most frequent?
Sending an email to the wrong recipient.
Sending an email to the wrong recipient.
Statistics from data protection authorities show that sending information to the wrong recipient is the most commonly reported security incident, accounting for up to 16% of reported breaches. Data Security: An Analysis of 2023 ICO Breach Reporting
In some cases, a simple mistake can lead to:
• Disclosure of personal data
• GDPR or data protection violations (GDPR / Swiss FADP)
• Loss of customer trust
• Legal or reputational risks
The good news?
These incidents are among the easiest to prevent.
These incidents are among the easiest to prevent.
Why do these errors happen so often?
Email remains the primary communication tool in businesses.
HR, finance, clients, partners — everything flows through email.
This creates the perfect environment for mistakes:
• Auto-complete suggestions in Outlook or Gmail
• Confusion between contacts with similar names
• Incorrect attachments
• Misuse of CC or BCC fields
Regulators consistently observe that these errors are unintentional but extremely common, particularly due to email auto-fill features. Human Error and Accidental Data Breaches
When an email becomes a data breach
An email sent to the wrong recipient can qualify as a personal data breach.
Under GDPR, a breach occurs when personal data is disclosed to an unauthorized individual — even accidentally. European Commission – Data Protection & Data Breach
If the incident poses a risk to individuals, the company must:
• Document the incident
• Notify the relevant authority
• Inform affected individuals (if necessary)
The breach must be reported within 72 hours of discovery. GDPR Article 33
What to do if an email is sent by mistake
When an incident occurs, the priority is to limit the impact.
1. Contain the incident
Immediately ask the recipient to delete the email and any attachments.
Immediately ask the recipient to delete the email and any attachments.
2. Document the breach
Identify what data was exposed and who is affected.
Identify what data was exposed and who is affected.
3. Assess the risk
Determine whether the exposed data could harm the individuals concerned.
Determine whether the exposed data could harm the individuals concerned.
4. Decide on notification
If there is a real risk, report the incident to the relevant authority.
If there is a real risk, report the incident to the relevant authority.
How to prevent misaddressed emails
Prevention relies on three pillars: technology, processes, and awareness.
Simple actions can significantly reduce risks:
• Double-check recipients before sending
• Use BCC to protect email addresses
• Review attachments carefully
• Avoid sending sensitive data via email
Organizations can also implement technical solutions such as:
• Data Loss Prevention (DLP)
• Alerts when adding external recipients
• Secure document sharing instead of attachments
Securing corporate email
In most cases, data breaches are not caused by sophisticated attacks, but by simple, everyday mistakes.
A single misaddressed email can trigger:
• A data leak
• A compliance incident
• A loss of trust
At keyIT, we support organizations in securing their email systems and Microsoft 365 environments.
• Security audits: Microsoft 365 Security Audit
• Penetration testing: Continuous Pentesting with NodeZero
• Data compliance: Data Protection for Swiss SMEs
• DLP deployment & training: Microsoft Certified Trainings
Because today, email security has become a critical pillar of enterprise cybersecurity.
