diff --git a/src/js/bo/outbox.js b/src/js/bo/outbox.js
index 3df3c59..7d04a52 100644
--- a/src/js/bo/outbox.js
+++ b/src/js/bo/outbox.js
@@ -62,6 +62,12 @@ define(function(require) {
         mail.publicKeysArmored = []; // gather the public keys
         mail.id = util.UUID(); // the mail needs a random uuid for storage in the database
 
+        // do not encrypt mails with a bcc recipient, due to a possible privacy leak
+        if (mail.bcc.length > 0) {
+            storeAndForward(mail);
+            return;
+        }
+
         checkRecipients(allReaders);
 
         // check if there are unregistered recipients
diff --git a/src/js/controller/write.js b/src/js/controller/write.js
index 75631c0..e78f469 100644
--- a/src/js/controller/write.js
+++ b/src/js/controller/write.js
@@ -237,6 +237,11 @@ define(function(require) {
                 return;
             }
 
+            // bcc automatically disables secure sending
+            if ($scope.bcc.filter(filterEmptyAddresses).length > 0) {
+                allSecure = false;
+            }
+
             if (allSecure) {
                 // send encrypted if all secure
                 $scope.okToSend = true;
@@ -331,12 +336,22 @@ define(function(require) {
                 });
             });
 
-            function filterEmptyAddresses(addr) {
-                return !!addr.address;
-            }
         };
     };
 
+    
+    //
+    // Helpers
+    //
+
+    /*
+     * Visitor to filter out objects without an address property, i.e. empty addresses
+     */
+    function filterEmptyAddresses(addr) {
+        return !!addr.address;
+    }
+
+
     //
     // Directives
     //
diff --git a/test/new-unit/outbox-bo-test.js b/test/new-unit/outbox-bo-test.js
index deeffb3..4d98198 100644
--- a/test/new-unit/outbox-bo-test.js
+++ b/test/new-unit/outbox-bo-test.js
@@ -86,6 +86,39 @@ define(function(require) {
                 });
             });
 
+            it('should not encrypt a mail with bcc and store a mail', function(done) {
+                var mail;
+
+                mail = {
+                    from: [{
+                        name: 'member',
+                        address: 'member@whiteout.io'
+                    }],
+                    to: [{
+                        name: 'member',
+                        address: 'member@whiteout.io'
+                    }],
+                    cc: [],
+                    bcc: [{
+                        name: 'member',
+                        address: 'member@whiteout.io'
+                    }]
+                };
+
+                devicestorageStub.storeList.withArgs([mail]).yieldsAsync();
+
+                outbox.put(mail, function(error) {
+                    expect(error).to.not.exist;
+
+                    expect(mail.publicKeysArmored.length).to.equal(0);
+                    expect(keychainStub.getReceiverPublicKey.called).to.be.false;
+                    expect(emailDaoStub.encrypt.called).to.be.false;
+                    expect(devicestorageStub.storeList.calledOnce).to.be.true;
+
+                    done();
+                });
+            });
+
             it('should encrypt and store a mail', function(done) {
                 var mail, senderKey, receiverKey;