Essential just made a huge mistake with personal customer info
If you're one of the folks who pre-ordered an Essential Phone, there's at least a small chance that you received a strange email from the company late last night. This email – which came from a customer care email address from Essential – asks consumers to reply with pictures of a photo ID, and alternate email address, and a telephone number, with its stated purpose being to prevent fraud. That's already bad, but then things got worse when customers who received this email started receiving the replies from others – complete with sensitive personal information.
Reddit user Cygnosity first posted about this email last night to the Essential subreddit. They point out that multiple customers were carbon copied on the initial email, exposing the personal information of those who chose to reply. Here's what the email in question looked like:
Hi,
Our order review team requires additional verifying information to complete the processing of your recent order.
This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases.
Please provide an alternative email and phone number to confirm this purchase..
We would like to request a picture of a photo ID (e.g. driver's license, state ID, passport) clearly showing your photo, signature and address. NOTE: the address on the ID should match the billing address listed on your recent order.
We apologize for the inconvenience and appreciate your cooperation. Once verified, we look forward to shipping your order.
Thanks!
Essential Products Customer Care
Some users in the Reddit thread are claiming that this could be a phishing scam, but one Reddit user by the name of RonnieSchnell says that it isn't. Instead, he says, this whole mishap can be blamed on a miscommunication. The emails were indeed going back to Essential, but the problem is that they went to other customers as well, exposing all of this sensitive data:
It is not a Phishing scam. It is a misconfiguration. The DKIDs check-out, and the replies are actually going to Essential (and then many other people). I've accumulated quite a collection of D/Ls, Passports, credit card statements, phone numbers, and e-mail addresses. This is unbelievable.
RonnieSchnell goes onto to say that it looks like these messages used Google Groups behind the scenes, with Essential authorizing Google Suites to send them out to customers. Should his analysis of the situation be correct, it sounds like this is a colossal screw up on the part of Essential.
For its part, Essential hasn't really said much about this issue. On Twitter, the only thing to be found in reference to this is the most recent tweet on Essential's account. That tweet offers little in the way of information, with Essential merely saying that it is aware of the situation and taking steps to mitigate it. We're left with the promise that it will update us when it has more information, but at the time of this writing, that information hasn't come.
If this was indeed a mistake on the part of Essential, then that's a bad look at a crucial time for the company. With its flagship phone now starting to ship out, it's a make-or-break time for Essential and consumer goodwill is of utmost importance. We'll update you when Essential makes a statement and sheds some light on how this could have happened, so stay tuned.