It’s not always the hackers that you need to worry about: ordinary human error can do just as much damage. This is the moral of a story coming out of England from a student loans facilitator named Student Finance England who inadvertently leaked the details of over 8,000 students during a mass e-mail distribution blunder.

According to Graeme Paton of The Telegraph, the breach contained only e-mail addresses of the students in question and not other information.

On Monday, it emailed more than 8,000 students – due to start university this autumn – to remind them to complete grant application forms. The message was sent to students who had started but failed to complete an online application.

However, staff inadvertently included an attachment listing the email addresses of all students on the distribution list.

In statement, the Student Loans Company apologies for the blunder, adding: “The information was sent in error and only included email addresses, no other personal student data was shared.”

Sometimes institutions that store your information just screw up. Fortunately, this time, it was just e-mail addresses—and not actual personal information. By and large this greatly reduces the total concern about this sort of bungle but there are some privacy watchdogs who would like to remind us of how precarious our information can be.

“Just because this information didn’t contain bank details, it doesn’t mean it isn’t useful to people,” said Nick Pickles, director of Big Brother Watch, the privacy and civil liberties group. “The fact is that email addresses are increasingly the primary mode of communication for most people. Who knows where it could end up once it is in the public domain?

“If you were to go to a credit reference agency and say, ‘I have the email addresses of 8,000 people in receipt of student finance, would you find it interesting?’ Of course they would.”

The student loans company has apologized for the release of the e-mails and stated that they have contacted all their customers who have been affected by the breach.

Keeping this sort of thing in mind, this is the least issue that could have come out of attaching a file to a mass e-mail. To be security conscious, it’s important not just to educate and train users to avoid things that might unleash personal information onto the Internet; but also limiting what they can do will also help. In the case of mass e-mails it’s rarely necessary to attack anything, especially because files can be shared behind password protected web pages.

Presumably the company already stores personal student information in encrypted and locked databases (disallowing the chance that an entire table full of such information could be attached to an e-mail) but the ability to send attachments itself should be restricted. It’s not necessary in normal mass communication and has a multitude of error-prone risks like this one.