A human mistake by Kennedys Law, a London law firm, exposed e-mail addresses of almost 200 people related to one of the most sensitive topics in the UK: victims of abuse linked to the Church of England. This failure represents a privacy issue and it makes victims lose their trust in institutions once again, because they had already been betrayed by the same institution. So, let’s learn more about this data breach.
What happened?
Kennedys Law was sending information about the Church of England Redress Scheme, a program created to provide economic, therapeutic, and emotional support to the victims who suffered abuse from priests, bishops or any other member of the Church of England. What happened when this information was being sent? Instead of hiding e-mail addresses using BCC, Kennedys Law included every single address to the CC. This means that 194 emails were visible for the rest of the people who received the same email.
Kennedys Law tried to stop this, but it was for nothing because the damage was already done.
How serious is this?
It might seem like a small technical issue, but it actually has a huge impact. Let’s see the consequences of this situation:
- Privacy Violation: Survivors of abuse often want their identities kept secret. Revealing emails puts them at risk of being recognized or contacted without consent.
- Loss of Trust: Victims already feel betrayed by the Church of England because of the abuse itself. Now, the very system designed to help them also failed to protect them.
- Legal Consequences: The breach has been reported to the UK’s Charity Commission, Information Commissioner’s Office, and Solicitors Regulation Authority. Investigations may lead to fines or stricter rules.
- Emotional Harm: Survivors may feel unsafe again. For many, even a small mistake like this can reopen old wounds.
Precedent
If we have in mind the history of abuses in the Church of England, this situation is even worrying:A report in 2022 found that between the 1940s and 2018, 390 people connected to the Church were convicted of child sexual abuse. In 2017 alone, Church dioceses received 3,287 reports of concerns and allegations.
Survivors estimate the real number of victims could be in the thousands, including children, teens, and adults. Former Archbishop of Canterbury, Justin Welby, was forced to resign in 2024 after failing to properly investigate historical abuse cases.
This is why it’s important that the Church of England Redress Scheme works because there are so many victims who need to feel safe.
Kennedys Law’s response
Kennedys Law posted a statement apologizing for what it happened saying it was ‘’deeply sorry for the hurt and concern caused.’’ It confirmed every victim had been informed, started an investigation, and promised to make changes to avoid something like this ever happened again.
The Church of England didn’t directly manage the program’s data, but it said it was ‘’profoundly concerned’’ and demanded clear measures to gain trust back.
It happened before
Kennedys Law mistake is not something new, there have been similar failures in the UK and other countries like:
- The UK Ministry of Defence accidentally exposed the details of 19,000 Afghan allies, including interpreters and spies.
- An NHS Trust in Britain revealed patient information by using CC instead of BCC.
- A charity exposed the names of members of an HIV advisory board in a similar way.
These cases show that even a simple detail like confusing CC with BCC can put thousands of people at risk. Let’s hope they make sure this never happens again, so that victims can move on and feel safe about the traumatic experience they had to go through.