Emailing personal data in 2025 is like writing it on a postcard… exposed, traceable, and wide open to interception. Here’s why it’s time we demanded better.

Jason | muckypaws.com

TL;DR:

We’re still being asked to send passports, utility bills, and ID details over unencrypted email in 2025, despite decades of cybersecurity guidance and data protection law. This post breaks down the historical context, the technical risks, the corporate excuses, and gives a checklist to help consumers push back and make risk-based decisions when handing over your personal data.

What’s this all about?

Earlier this week, I posted about a high-profile data breach, and more importantly, how little real-world accountability there is when personal information is exposed. No meaningful penalties, no restitution for the individuals whose data was compromised.

In response, someone commented:

“But what’s the worst that can happen, realistically… to a regular Joe Bloggs going about their life? I’ve been handing out my data without a thought or a question for over 30 years and nothing has happened. We take these requests for data as part and parcel of the service we’re requesting along with millions of others. Is it just luck nothing bad has happened or is it just a waiting game until it does?”

And that’s what prompted this post.

Because this isn’t about scaring people, it’s about helping people make informed, risk-based decisions in a digital world. You don’t have to follow my advice. You don’t have to push back. But you should at least know what you’re agreeing to when you hit send. Too often, we give away our most sensitive information with no clue how it’s being handled, stored, or transmitted.

The point isn’t to panic.

The point is to ask better questions… and expect better answers.

Back in the pre-internet days, identity theft existed, sure… but it was mostly the domain of determined fraudsters, state actors, and those with the kind of criminal apprenticeship that passed knowledge from one shady generation to the next. It was labour-intensive. If you wanted someone’s personal data, you’d need lorries, patience, and filing cabinets full of paper. Robbing banks, Post Offices or warehouses offered far richer pickings for less work.

Fast forward to the 80s and 90s: the home computer revolution hits. Suddenly, kids are coding and gaming in their bedrooms. “Tomorrow’s World” dreams are booting up in real time. The corporate world scrambles from telex machines and manual files to mainframes and early PC networks.

By the 90s, the rise of Windows, Britpop, and dial-up internet had begun. Modems screeched their way into homes, and with them came email, Netscape, AOL, and a growing online population. I remember the bank I worked for trialling its first form of internet banking … an odd little application you dialled into, offering a digital peek at your statement (no more advanced than an ATM printout).

Retailers started experimenting with micro-transactions. I still recall a credit card company selling digital desktop backgrounds for 25p, just to test online payments. Back then, it all seemed experimental, exciting, a bit wild west.

As more services moved online, information became easier to access. Processes that once involved letterheads and long waits were now a few clicks away. Security awareness? Well… it was trying to keep up. I remember trying (and failing) to explain to execs why the amount of data we were capturing posed risk. Security wasn’t sexy. It didn’t make money. It didn’t close sales. Until something went wrong. Then suddenly, the cigar-smoking suits wanted to know everything.

Today? Our mobile devices are our digital vaults. They hold our banking, our health records, our social lives, and our ID. Lose your phone and you’re not just offline … you’re digitally amputated.

And yet… here we are.

Despite GDPR and years of cybersecurity campaigns, companies … including public bodies … are still asking people to send sensitive documents by email. “Please send a copy of your utility bill, passport, and bank statement to this address so we can proceed with your request.”… Sound familiar?

Let’s be clear: email is not secure by default.

Yes, some large organisations have TLS encryption between domains (say, between a utility company and an ombudsman). That’s server-to-server encryption. It’s great if both sides support it, and it’s correctly implemented.

But for everyday consumers? That protection doesn’t exist. Your average person isn’t using PGP. Their ISP isn’t negotiating secure mail sessions direct to the recipient for each email. Your email might bounce through multiple relays and servers before landing at its destination. And at every point, it’s at risk. A simple test recently I spotted over 12 relays were involved in sending an email between my computer and the receiver finally getting the message. That’s a lot of intermediaries with access to your information and is what we call uncontrolled information.

Here’s where the hypocrisy kicks in:

• When they want your data? “Email is safe, don’t worry.”
• When you ask them to send sensitive data to you the same way? “Sorry, we can’t do that. It’s insecure.”

So which is it?

Let’s try a simpler analogy … one that’s worked well when explaining this to non-technical friends:

Would you write your full name, address, date of birth, and National Insurance number on a postcard, use your regular signature and pop it in the post?

Because that’s effectively what you’re doing when you email unencrypted personal data. The contents of your message are visible to every mail sorter, every relay, every digital post office along the way. You have no idea who might intercept, copy, archive, or sell that data.

Ironically, many of us used to (and still do) send real postcards, and posties would cheerfully tell us our friends had a great time in Tenerife. The principle hasn’t changed. The stakes have.

Here’s the kicker

Almost every time I push back and explain that email is insecure, the person on the other end … usually a frontline worker or administrator … doesn’t understand the risk. They’re just trying to complete their task, close the case, or deny access based on policy. Their priority is process, not protection. (spoiler alert: The process is broken).

But while these organisations might have a legitimate reason for asking for your information, the question remains: why aren’t they doing more to protect it? Why isn’t something as basic as a secure upload portal the standard? This offers full end-to-end encryption from your device/computer to the recipients server.

Take this recent experience: I was dealing with a solicitor, an organisation that should understand legal duty and data protection. And yet, they had no secure upload portal, no egress gateway, no encrypted link, just an email address and a request to send sensitive documents.

Or the NHS: contacting PALS or a consultant’s PA, I’m routinely asked to confirm my name, address, date of birth, and hospital number … via plain email.

Or law enforcement: asked to send PII-heavy documents by email, even though they have a secure portal, but weren’t “allowed” to use it.

Or broadband providers, utilities, banks… all still stuck in this insecure-by-default model, despite living in a time when data breaches, phishing, and identity theft are daily occurrences.

This isn’t the 90s anymore. It’s not acceptable to treat email as a secure channel for sensitive information. If we know email is one of the richest sources of PII for threat actors, why are so many companies still getting this so wrong?

So what should organisations be doing?

• Stop asking for PII via plain email.
• Provide secure upload portals.
• Offer encrypted links with expiry times.
• Give people the choice to call in and verify details over the phone.

And as individuals, we need to start pushing back.

A Simple Checklist for Consumers

When asked to provide personal information by email, try this instead:

1. Ask for a Secure Portal:
   • “Do you have a secure portal where I can upload the required documents instead of emailing them?”
2. Suggest Encrypted Files (if no portal):
   • “Can I send this as a password-protected PDF or Word document, and provide the password by phone or separate message?” (Note: not foolproof, but better than plain text.)
3. Verify Over the Phone:
   • If it’s about confirming PII like your DOB, offer:
     • “Could you call me on the number registered to my account so I can confirm verbally?”
4. Push for Data Protection Oversight:
   • “I’m concerned about sharing personal data over an insecure channel. Can you refer this to your Data Protection Officer or confirm your GDPR compliance process for secure data transmission?”
5. Quote the Law if Needed:
   • Under UK GDPR Article 5(1)(f), organisations are required to ensure appropriate security of personal data, including protection against unauthorised processing and accidental loss.

Remember: The onus is on the organisation to protect your data… not you. 

If they can’t offer a secure alternative, at least you’re making a conscious, informed decision about risk, not blindly hoping for the best.

What Are Your Rights If They Refuse?

If an organisation insists on insecure communication methods, you have options:

• Raise your concern internally first. Ask to escalate the issue to their Data Protection Officer (DPO).
• Refer to UK GDPR Article 32, which requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, especially when handling sensitive or personally identifiable information.
• If the response is inadequate or dismissive, escalate to the Information Commissioner’s Office (ICO). You can submit a concern online via the ICO website: https://ico.org.uk/make-a-complaint/
• Keep copies of all correspondence—this includes emails, responses, and screenshots where applicable. The ICO often reviews these materials when assessing complaints.
• If the data shared insecurely leads to a breach, you also have the right to seek redress under UK GDPR Articles 77–82, including the right to compensation for damage suffered.

https://gdpr-info.eu

Remember, pushing back isn’t just about your own privacy, it sets a precedent. It nudges organisations toward better standards, and it educates others in the process.

Changing the narrative begins with every challenge, every refusal to accept the lazy norm, and every time we ask: Why are we still doing this like it’s 1999?

Because in 2025, we deserve better than postcards in cyberspace.

👇 Join the Conversation

Have you ever been asked to email sensitive data like your passport or bank statement? Did you challenge it, or reluctantly hit send? Let’s normalise pushing back. Share your experience in the comments or tag someone who needs to read this.