Dozens of Essential customers fuming as email containing personal info is openly shared [Update]

The Essential phone hasn"t even arrived in the hands of customers yet, despite shipments reportedly going out before last weekend. But for a number of customers, the wait has become even more frustrating as Andy Rubin"s company has unwittingly leaked the personal details of an unknown number of customers, which include drivers licenses, home addresses, passports, credit card statements, and telephone numbers.

An email sent out yesterday to a number of customers to verify their identity, reportedly to prevent fraud, appears to have been sent via the Zendesk support system, in which it is possible to set up a mail group, the email (a copy of which was sent to The Verge) is shown below:

On Aug 29, 2017, at 9:23 PM, Customer Care customercare@essential.com wrote:

Hi,

Our order review team requires additional verifying information to complete the processing of your recent order. 

This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases. 

Please provide an alternative email and phone number to confirm this purchase..

We would like to request a picture of a photo ID (e.g. driver’s license, state ID, passport) clearly showing your photo, signature and address. NOTE: the address on the ID should match the billing address listed on your recent order.

We apologize for the inconvenience and appreciate your cooperation.  Once verified, we look forward to shipping your order.

Thanks!

Essential Products Customer Care

The Verge spoke to one of the customers who received the above email, Professor Ron Schnell, who served as the CTO on Rand Paul’s presidential campaign. Schnell’s analysis of the email headers is that the emails really did go back to Essential, not to some random scammer. Here’s how he characterized it on Reddit:

It is not a Phishing scam. It is a misconfiguration. The DKIDs check-out, and the replies are actually going to Essential (and then many other people). I"ve accumulated quite a collection of D/Ls, Passports, credit card statements, phone numbers, and e-mail addresses. This is unbelievable.

What appears to have happened is that Essential had a group list of customers it needed to verify to prevent fraud, and subsequently sent them an email requesting for more information. However, that email address was set up as a group email, which meant that replies sent to it went to everybody on that email list.

It"s unclear how or why the email address was set up this way, but so far it seems Essential is not offering a lot to satisfy the dozens of customers whose information got shared with total strangers.

We’re aware of & looking into a recent e-mail received by some customers. We’ve taken steps to mitigate & will update with more info soon.

— Essential (@essential) August 30, 2017

The steps taken by Essential appear to be limited to just closing off the Zendesk group mail, which prevents any of the customers" replies to the mailing list, and the exposing of personal details amongst that email group.

Meanwhile, customers that are verified and have a tracking number have yet to receive their phones, which are reportedly being shipped from China, with some saying they expect to receive it tomorrow.

Source: The Verge

Update: Andy Rubin has apologized for the blunder in which 70 customers had their personal details shared amongst each other via email, a portion of which can be read below:

One of the most important jobs of a founder is to recognize when things aren’t going quite right, and make the necessary decisions and take action to correct them before customers are impacted. Founders are often faced with thousands of micro-decisions daily to keep their companies laser-focused on delivering products into the right markets at precisely the right time.

Yesterday, we made an error in our customer care function that resulted in personal information from approximately 70 customers being shared with a small group of other customers. We have disabled the misconfigured account and have taken steps internally to add safeguards against this happening again in the future. We sincerely apologize for our error and will be offering the impacted customers one year of LifeLock. We will also continue to invest more in our infrastructure and customer care, which will only be more important as we grow.

Being a founder in an intensely competitive business means you occasionally have to eat crow. It’s humiliating, it doesn’t taste good, and often, it’s a humbling experience. As Essential’s founder and CEO, I’m personally responsible for this error and will try my best to not repeat it.

I remain heartened and motivated by the groundswell of support that Essential has experienced since unveiling the company on May 30th. We continue to believe deeply in our vision and the innovation we are bringing to life via our Home, Phone and 360 Camera products. I humbly thank our customers and channel partners for your patience and understanding as we proceed with the launch of our first products.

You can read the full blog post here, and this also confirms that the details in the original article (above) was in fact not part of a phishing attempt, as suspected.

Report a problem with article
Next Article

Amazon Prime Video is finally available in the Google Play Store

Previous Article

Dell announces new gaming PCs and a monitor at IFA