Kennedys Data Breach

When One Click Changes Everything

28/08/2025

What Happened

An update email to participants in the Redress Scheme, a scheme that was set up to offer them compensation, was mistakenly sent showing email addresses of 194 survivors of abuse. They state that no other categories of personal data were exposed, but the breach still represents a serious lapse in confidentiality. Attempts to recall the message were only partially successful.

“Due to human error, the email displayed the email addresses making them visible to all of the recipients”

Kennedys Law accepted full responsibility, saying it was “deeply sorry for the hurt and concern caused to everyone affected.” The firm has reported the matter to the Information Commissioner’s Office, the Solicitors Regulation Authority, and the Charity Commission, and is carrying out an internal review to prevent recurrence.

Human Error and Human Impact

It’s important to recognise that this incident was almost certainly the result of a simple mistake, someone clicking “send” without blind copying recipients for example. Anyone who has worked in a pressured role knows how easily that can happen. I feel sorry for the individual involved, who will no doubt be devastated to realise the impact of their action.

But while mistakes happen, the consequences here are significant. This wasn’t just an admin slip: the recipients were survivors of abuse, entitled to the highest levels of confidentiality and care. The breach risks compounding harm for those who had already placed fragile trust in the scheme.

Response from the Church

The Church of England stressed that it is not the data controller of the scheme, but nonetheless expressed “profound concern” and said it was working with Kennedys to ensure stronger safeguards.

Bishop of Winchester, Philip Mounstephen, who set up the redress scheme, told Channel 4 News, “Let’s be very clear about this. Even though this wasn’t our error from a legal perspective, we will not shirk our moral responsibility. Survivors are deserving of the utmost care, confidentiality and respect. Our focus has to be on their wellbeing and we’ll continue to do everything we can to support them and uphold the integrity of the redress scheme, not for its own sake but because survivors vitally need it.”

Impact on Survivors

Survivor groups have voiced distress, with some emphasising that the breach undermines the very trust the Redress Scheme was created to rebuild. Survivors are legally entitled to lifelong anonymity, and the disclosure of their details, even just email addresses, could feel like another betrayal.

One victim that has waived their anonymity, has said that other victims will be feeling more exposed and more vulnerable with the trust broken completely. They acknowledge that the cause of the breach may have been a junior admin person that may not have received appropriate training or briefed.

Lessons for All Organisations

This incident is a stark reminder that most data breaches are not the result of hackers, but human error. One wrong click can expose hundreds of people’s information. That’s why it is critical that organisations handling sensitive data:

• Put in place robust systems for group communications (such as mailing software or secure portals rather than ad-hoc emails).
• Provide regular, bespoke training tailored to staff roles and the sensitivity of the data they handle and conduct routine audits.
• Use technical safeguards (e.g. auto-BCC, controlled distribution lists, email send delay or email platforms that suppress recipient visibility).
• Carry out regular Data Protection Impact Assessments (DPIAs) especially when working with vulnerable groups.

Final Thought

We must balance accountability with empathy. People make mistakes, but when working with survivors of abuse, the stakes are too high to rely on manual processes alone. Organisations should focus not only on apologising after breaches but also on building systems and training staff in ways that make such errors far less likely.