There are many different ways that organizations can manage customer lists and deliver email to all of their customers at once. Some mailers will generate a unique email to each customer, possibly replacing fields in a form letter, while others will basically use the "BCC" field to send a one email to many recipients. An important characteristic of these methods is that the recipients will not be able to see each other's email addresses.
Today, Cardstore.com sent out an email to customers without using either of the above methods. This email contained thousands of Cardstore.com's customer email addresses in the email's "To:" field, meaning that every recipient of the email could see every other email address that the message was sent to.
Database breaches have become extremely common. LinkedIn and Last.fm are both recent examples of popular websites to suffer database breaches that exposed customer details. These breaches have been the result of hackers, but Cardstore.com cut out the middle-man and just sent out their customer list themselves. This kind of breach is unacceptable and should never have been allowed to happen. Great care should always be taken in the handling of customer information, and checks should be in place to make sure that errors like this are avoided.
Comments from this post were discarded during a website migration.