Scotland Yard has inadvertently shared the email addresses of around 1,000 victims of crime with each other, in a mistake that has been referred to the information commissioner.

The Metropolitan police said emails were sent out to 1,136 victims, mostly of car theft or pickpockets, as part of a survey on 30 January. But the addresses were put in the wrong section of the email, which meant they were shared with other victims.

A Met spokesman said: "No other personal details were revealed and we are contacting everyone affected to explain what happened and to apologise."

Scotland Yard said it was now reviewing its processes in relation to surveys of this kind to avoid a similar error. "The sharing of data was a result of human error … as a matter of course we have notified the information commissioner's office."

The emails were sent as part of the survey into whether victims felt they were receiving a better service following the introduction of a single telephone number for the investigation unit in London. They were sent in seven batches of between 119 and 198 recipients.

The breakdown of types of crime the victims suffered is: one common assault; one criminal damage under £5,000; four criminal damage under £500; one criminal damage to a building other than a residential dwelling; 11 criminal damage to motor vehicles – £500 to £5,000; 73 criminal damage to a car worth under £500; nine criminal damage to other property under £500; one criminal damage to other buildings under £5000; 47 victims of false representation; 12 victims of interference with a motor vehicle; one victim of making off without payment; one victim of shoplifting; 324 victims of theft from a motorvehicle; eight victims of theft from other vehicles; 157 victims of pickpockets; six victims of a snatch; 319 victims of theft; 19 victims of car theft; and 125 victims of bike theft.

A spokeswoman for the Information Commissioner's Office said it had received the referral and it was being examined.

She said the highest fine the office could issue was £500,000 but that was for breaches of data of an extremely sensitive nature, for example the sharing of details about child sexual assault victims.