A City of York Council email mishap exposed the email addresses of hundreds of Blue Badge holders in the ancient Viking capital, inadvertently revealing their status as disabled residents and triggering a data breach investigation.

The council confirmed to The Register that it’s investigating what it described as a "personal data breach" after emails sent to residents last week were distributed without using the blind carbon copy (BCC) function, allowing recipients to see everyone else on the mailing list.

According to local reports, the council sent three emails containing Blue Badge-related updates before issuing a fourth message acknowledging the error and asking recipients to delete the previous emails, including from their deleted items folders. Recipients were also warned to remain alert for suspicious messages following the incident.

While the exposed information appears to have been limited to email addresses, the breach is especially sensitive because everyone on the distribution list was receiving communications intended for Blue Badge holders. In practice, that meant recipients could identify hundreds of people as members of a group generally associated with disabilities or mobility impairments.

One affected resident told local media that the disclosure had left her upset because most people in her life were unaware she held a Blue Badge. "Honestly, I think it's just disgusting – we've been given the details of hundreds of disabled people, which feels unsafe," she said.

In a statement to The Register, a spokesperson at City of York Council said it activated its data breach procedures as soon as the error was identified and is conducting a risk assessment in line with guidance from the UK Information Commissioner's Office.

"We're working carefully to establish exactly what's happened, alongside conducting a thorough risk assessment ... to understand any potential impact on individuals," a spokesperson said. “Our investigation is ongoing, and we’ll continue to be as open as possible while ensuring the accuracy of the information we provide.”

The spokesperson declined to say how many individuals were affected or whether the issue was caused by human error or a technical issue.

The council added that it was assessing whether the incident meets the threshold for notification to the ICO within the statutory 72-hour reporting window.

That may depend less on the email addresses themselves than on what the mailing list revealed.

A spokesperson at the ICO told The Register: "We can confirm that we have received a data breach report on this matter, and following an assessment of the information provided we have closed the case with advice given.”

For all the talk of AI-powered cyber threats, it seems some organizations remain committed to the classics. ®