CARDIFF Council admitted responsibility for a data breach that led to the email addresses of parents being leaked.
Parents in Cardiff who are eligible for Childcare Offer for Wales funding received an email from the council in May ahead of the summer half term.
The local authority said that an error caused all recipients of the email to be copied into the ‘to’ field instead of the ‘bcc’ (blind carbon copy) field.
Later that same day a follow-up email was sent to all the recipients to apologise for the error and to ask them to delete the original email.
A Cardiff Council spokesman said: “Cardiff Council is aware that a data breach occurred on May 15 this year.
“The breach resulted from human error and Cardiff Council’s reporting procedures were followed promptly and appropriately in line with data protection protocols.
“Cardiff Council remains committed to continuous improvement in data handling practices and staff awareness to prevent recurrence.”
The Childcare Offer for Wales aims to help parents with childcare costs and eligible parents can claim up to 30 hours of early education and childcare a week for up to 48 weeks a year.
Local authorities in Wales are responsible for implementing the scheme in their areas.
Cardiff Council’s recall email to recipients following the data breach on May 15 was sent out at 4.33pm.
It read: “You will have received an email… on 15/05/2025 at 10:05am titled ‘Childcare Offer Funding: Holiday Periods | Cyllid Cynnig Gofal Plant: Cynodau Gwyliau’.
“The content of this email, which includes information on setting up an online funding agreement, is provided below.
“We kindly request that you delete the original email due to an error that caused all recipients to be copied into the TO field instead of the Bcc field.
“We sincerely apologise for this mistake and have taken measures to prevent such breaches in the future.”
A separate data breach involving Cardiff Council, which saw the details of vulnerable children the local authority looks after being compromised, was reported on in March.
Members of the council’s governance and audit committee were told about the data breach by a council official at a meeting on Tuesday, March 25.
The Local Democracy Reporting Service understands that the information was taken in a breach that affected Data Cymru.
At the time Data Cymru was asked for the type of data that was compromised, when the breach occurred, and what was done to resolve the issue.
Cardiff Council was also given an opportunity to respond.
