21 May 2026
I wanted to talk about this because it is incredibly common and people don’t question it enough. The truth is that, collecting sensitive data or private information in email attachments, seems convenient. But it raises important concerns. Also, if the only tool you have to collect information is the tool you use to write letters, I don’t trust you to protect my data?
A surprising number of organisations still collect sensitive information by emailing Microsoft Word documents backwards and forwards between people. Sometimes the document contains onboarding details. Sometimes it contains identity documents, payroll information, clinical material, access requests or security questionnaires.
Email attachments are copied to multiple locations
The problem is not Microsoft Word itself. The problem starts the moment an organisation uses email attachments to collect sensitive information or any kind of private information in email attachments. As soon as somebody attaches a document to an email, copies of that information begin spreading across inboxes, laptops, backups and shared folders.
One copy sits in the sender’s mailbox. Another sits in the recipient’s mailbox. Somebody downloads it onto a desktop intending to upload it later. Someone else forwards it internally for approval. Somebody saves another copy “just in case.” Before long, the organisation collecting the sensitive information no longer knows exactly where all of it lives. In many cases, private information in email attachments is lost track of.
That is why collecting sensitive information through email attachments creates such a privacy problem. Organisations often focus heavily on passwords, login security and cloud platforms. Meanwhile, highly sensitive information quietly spreads through ordinary workplace behaviour.
It is more difficult to control information inside a document
Interestingly, this connects directly to another issue we discussed recently: organisations often lose visibility over information long before they lose control of security. Once sensitive information starts travelling through inboxes, downloads folders and shared drives, businesses stop knowing what information they actually hold. As a result, they stop knowing where it lives and who can still access it.
Most organisations genuinely believe they handle the information securely. They use Microsoft 365, require authentication and lock down laptops. Meanwhile, staff continue emailing highly sensitive Word documents around the business because the process feels familiar and convenient.
The uncomfortable reality is that collecting sensitive information through email attachments usually gives organisations very poor visibility and very poor control over the information they hold. Once staff download documents locally or forward them internally, organisations struggle to answer simple questions such as:
- where the information now lives
- how many copies exist
- who still has access to it
- whether archived mailboxes still contain it
- whether staff stored copies locally years ago
This also connects closely to due diligence and supplier governance. Organisations increasingly ask vendors detailed questions about privacy controls, access governance and information handling practices. Yet many businesses still collect highly sensitive information through workflows. Those workflows scatter copies of the same document across email systems and unmanaged storage locations.
None of this happens because people behave recklessly. Well some of it does, but mostly people just use the tools and workflows the organisation gives them. But organisations cannot properly protect sensitive information if they do not control how they collect it in the first place. Above all, being mindful of private information in email attachments is critical for reducing unnecessary data risk.
A few particularly relevant ones:
- In 2022, an Australian superannuation fund suffered a breach after attackers gained access to an employee mailbox containing a spreadsheet with personal details of around 50,000 members. The incident highlighted how sensitive information stored in ordinary email attachments can become exposed once an account is compromised.
- The OAIC (Office of the Australian Information Commissioner) has repeatedly warned that email remains one of the most common causes of reportable privacy breaches in Australia. The OAIC specifically identified accidentally emailing personal information to the wrong recipient as one of the leading causes of human-error breaches.
- The NSW Information and Privacy Commission and Victorian OVIC guidance both publish specific guidance about reducing breaches caused by email handling because organisations continue to expose sensitive information through ordinary email workflows.
- In early 2026, cloud platform distributor Pax8 accidentally emailed a spreadsheet containing sensitive customer and licensing information relating to roughly 1,800 MSP customers. The issue did not involve sophisticated malware. An employee simply sent the wrong attachment to external recipients.
- Privacy and security regulators increasingly describe these issues as failures of information governance rather than purely “cybersecurity” failures. The real problem often starts much earlier. Organisations collect sensitive information through workflows that create uncontrolled copies across inboxes, local devices, backups and archives.
