Automated responses from some recipients were also sent to all customers on the list, revealing further personal details – such as mobile phone numbers – and exacerbating the problem.
"I think there are times when you just have to put your hand up and say it was a human error," HFC's Corporate Director Martin Rutland told the BBC MoneyBox programme. "We have been sending e-mails out this way for well over a year. They have never been a problem. In this instance we made a mistake, and we unreservedly apologise for it."
Data protection rules require that personal information held by an organisation on an individual remains confidential, but when HFC, part of the HSBC Group, sent the e-mails to 2,600 customers of its Marbles credit card service, it breached the regulations.
According to the BBC, HFC has informed the UK's data protection watchdog, and the Information Commissioner has decided to take no action.
HFC has recompensed each person affected by the breach to the tune of £50, but reports suggest that some customers are considering their legal position.
William Malcolm, a data protection specialist with Masons, the law firm behind OUT-LAW.COM, said:
"This sort of mistake can easily happen if an employee mistakenly includes the e-mail addresses in the 'To' field or 'CC' field of an e-mail, instead of placing them in the blind carbon copy ('BCC') field. This further illustrates that good data protection compliance is about adopting the right processes and training staff."