Kennedys Law, a London-based law firm, accidentally leaked the email addresses of **194 individuals and law firms** involved in the Church of England’s (CoE) redress scheme for victims of abuse. The breach occurred due to **human error**, exposing recipients' details to all addressees in a mass email. Attempts to recall the emails were **only partially successful**, leaving victims—many of whom had suffered historical abuse by CoE officials—vulnerable to further harm. The firm reported the incident to regulatory bodies (Charity Commission, ICO, Solicitors Regulation Authority) and launched an internal investigation. The CoE, though not the data controller, expressed deep concern, emphasizing the breach’s potential to **erode trust** in the redress process. The exposed individuals included survivors of abuse by priests and bishops, compounding their trauma. The firm apologized unreservedly, acknowledging the **significant emotional and reputational impact** on those affected.
Source: https://www.theregister.com/2025/08/28/lawyer_coe_email_blunder/
TPRM report: https://www.rankiteo.com/company/kennedys
"id": "ken523082825",
"linkid": "kennedys",
"type": "Breach",
"date": "8/2025",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '194 individuals and law firms',
'industry': 'legal services',
'location': 'London, UK',
'name': 'Kennedys Law',
'type': 'law firm'},
{'customers_affected': '194',
'location': 'UK (primarily)',
'name': 'Church of England (CoE) Redress Scheme '
'Applicants',
'type': 'victims/survivors group'}],
'attack_vector': 'human error (misuse of email CC/BCC fields)',
'customer_advisories': ['direct communication with affected individuals by '
'Kennedys Law'],
'data_breach': {'number_of_records_exposed': '194',
'personally_identifiable_information': ['email addresses'],
'sensitivity_of_data': 'moderate (personal contact '
'information of abuse victims)',
'type_of_data_compromised': ['email addresses']},
'description': 'Kennedys Law, a London-based law firm, accidentally leaked '
'the email addresses of 194 individuals and law firms who had '
'requested updates about the Church of England (CoE) redress '
'scheme for abuse victims. The leak occurred due to human '
'error when email addresses were exposed to all recipients in '
'a mass email. Attempts to recall the emails were only '
'partially successful. The firm has apologized, launched an '
'internal investigation, and reported the incident to '
'regulatory bodies including the Charity Commission, the '
"Information Commissioner's Office (ICO), and the Solicitor's "
'Regulatory Authority (SRA).',
'impact': {'brand_reputation_impact': ['loss of trust among abuse victims',
'negative publicity for Kennedys Law '
'and Church of England'],
'customer_complaints': ['hurt and concern expressed by affected '
'individuals'],
'data_compromised': ['email addresses'],
'identity_theft_risk': ['low (email addresses only)'],
'legal_liabilities': ['potential investigations by ICO, Charity '
'Commission, and SRA'],
'operational_impact': ['partial email recall failure',
'regulatory reporting',
'internal investigation'],
'systems_affected': ['email system']},
'investigation_status': 'ongoing (internal investigation by Kennedys Law; '
'regulatory reviews by ICO, Charity Commission, and '
'SRA)',
'lessons_learned': ['importance of email etiquette (CC/BCC usage)',
'need for robust data handling procedures for sensitive '
'cases',
'immediate recall actions may not fully mitigate leaks'],
'post_incident_analysis': {'corrective_actions': ['incorporating learnings '
'immediately (unspecified)',
'potential policy/training '
'updates'],
'root_causes': ['human error in email handling (CC '
'instead of BCC)',
'lack of technical safeguards to '
'prevent mass email leaks']},
'recommendations': ['mandatory training on email best practices (CC/BCC)',
'implementation of technical controls to prevent mass '
'email leaks (e.g., forced BCC for bulk emails)',
'enhanced oversight for communications involving '
'vulnerable groups',
'regular audits of data handling procedures'],
'references': [{'source': 'The Register'},
{'source': 'Independent Inquiry into Child Sexual Abuse '
'(IICSA) 2022 Report'},
{'source': "Information Commissioner's Office (ICO) guidance "
'on email security'}],
'regulatory_compliance': {'legal_actions': ['investigations by ICO, Charity '
'Commission, and SRA (pending)'],
'regulations_violated': ['UK GDPR (potential)',
'Data Protection Act 2018 '
'(potential)'],
'regulatory_notifications': ['reported to ICO, '
'Charity Commission, '
'and SRA']},
'response': {'communication_strategy': ['public apology',
'direct contact with affected '
'individuals',
'statements to media'],
'containment_measures': ['attempted email recall (partially '
'successful)'],
'incident_response_plan_activated': True,
'recovery_measures': ['incorporating learnings immediately'],
'remediation_measures': ['internal investigation',
'regulatory reporting (ICO, Charity '
'Commission, SRA)',
'apology and communication with '
'affected parties']},
'stakeholder_advisories': ['Church of England expressed concern and is '
'monitoring the situation'],
'title': 'Kennedys Law Email Data Leak Affecting Church of England Redress '
'Scheme Applicants',
'type': ['data breach', 'privacy violation', 'human error']}