The Metropolitan Police has blamed ‘human error’ for exposing the emails of more than a 1,000 crime victims.
The victims, mostly of theft or criminal damage, were emailed on Monday as part of a survey into whether victims felt they were receiving a better service after the introduction of a single telephone number for an investigation unit in London, according to security firm Sophos.
But instead of entering the email addresses in the blind carbon copy (Bcc) field, they were entered in the carbon copy (Cc), which meant the addresses were visible to everyone else on the list.
The emails were sent in seven batches, meaning between 118 and 197 other people saw each email address.
A Met spokesman said: "No other personal details were revealed and we are contacting everyone affected to explain what happened and to apologise."
The Met Police has referred the matter to the Information Commissioner’s Office (ICO), according to The Guardian.
Scotland Yard is reviewing their processes in relation to surveys of this kind to avoid a similar error, the paper said.
To impose a monetary penalty, the ICO has to demonstrate that a breach caused substantial damage or distress, or that the organisation knew or ought to have known that there was a risk this could have happened.
The maximum penalty the ICO can issue is £500,000, but £140,000 is the highest penalty so far. It was imposed on the Midlothian Council for sending sensitive personal data about children and their carers to the wrong people on five separate occasions, between January and June 2011.
Read more on IT for government and public sector
London council fined by the ICO for disclosing personal information held on Met Police Gangs Matrix
New TalkTalk fine takes total for poor data protection to £500,000
Quocirca UK ICO Watch: GDPR fines may not be as scary as the vendors are telling you
ICO reiterates call for stronger sentences for data theft