Bad news! A financial institution has just CC'd me and about 100 other customers. Good news! I now know how many people use [name-of-service]@[their-domain.tld] as a contact address! Thoughts and prayers for the poor admin assistant who is going to have to do the GDPR walk of shame. And sleepless nights for the IT team who didn't set up rules to prevent a mass CC.
I was *very* polite in my email back to them. And I was *very* restrained in not CC'ing all my fellow breachers.
Oh, and while I'm ranting about financial institutions… "In order to get you up as a supplier, please provide a redacted copy of your bank statement. Screenshots are not acceptable." After a bit of back and forth, they accepted that modern business banks don't provide paper statements. Nor paying-in books. Nor cheque books. So, yes, they would have to accept a screenshot of a statement. Clownshoes everywhere today!