In colossal screwup, Essential shared customers’ driver’s licenses over email

Photo by Asa Mathat / Recode

Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud.

Dozens of customers replied with their personal information, but those emails didn’t just go to Essential. Instead, they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.

The incident is being reported as phishing by many outlets, because it looks and smells quite a lot like a phishing attempt: a weird request for personal information. After examining the email headers, it doesn’t look like this was an actual phishing attempt. It seems much more likely that this was a massive screwup, the result of a misconfigured customer support email list.

Here’s the email Essential originally sent out, via Cygnosity on Reddit and also forwarded to The Verge by another customer:

On Aug 29, 2017, at 9:23 PM, Customer Care customercare@essential.com wrote:

Hi,

Our order review team requires additional verifying information to complete the processing of your recent order.

This verification is performed to protect against unauthorized use of your payment information and similar to what is conducted for in-person purchases.

Please provide an alternative email and phone number to confirm this purchase..

We would like to request a picture of a photo ID (e.g. driver’s license, state ID, passport) clearly showing your photo, signature and address. NOTE: the address on the ID should match the billing address listed on your recent order.

We apologize for the inconvenience and appreciate your cooperation. Once verified, we look forward to shipping your order.

Thanks!

Essential Products Customer Care

We spoke with one of the customers who received the email, Professor Ron Schnell, who also happens to know quite a lot about digital forensics (he served as the CTO on Rand Paul’s presidential campaign).

Schnell’s analysis of the email headers is that these emails really did go back to Essential, not to a random scammer. Here’s how he characterized it on Reddit:

It is not a Phishing scam. It is a misconfiguration. The DKIDs check-out, and the replies are actually going to Essential (and then many other people). I've accumulated quite a collection of D/Ls, Passports, credit card statements, phone numbers, and e-mail addresses. This is unbelievable.

What appears to have happened is that Essential had a list of customers it needed to verify to prevent fraud, so it sent them an email requesting more information. But that email address was set up as a group email, which meant that replies sent to it went to everybody on that email list. It was a misconfigured customer support address on Zendesk, a customer service portal.

We don’t know how or why the email address was configured this way. It could have been a simple misconfiguration or potentially even a disgruntled employee, Schnell says. Whatever the original cause — a phishing scam, a stupid mistake, or something else — the end result that people sent emails with personal information that ended up going to total strangers.

Overnight, customers’ inboxes were filled with emails like this one:

As you can see, the email coming from a customer is identified as coming from support@essentialsupport.zendesk.com and it was sent out, CC’d, to many other customers. Many include attachments and links to driver’s license images.

Notably, Essential itself has said very little, beyond the following tweet, which doesn’t characterize the email as a scam and further notes that “we’ve taken steps to mitigate.” Those “steps” appear to include, at minimum, shutting down the email list that everybody was replying to.

Essential CEO Andy Rubin later apologized, stating that the incident is “humiliating” and that he holds himself “personally responsible for the error.” Rubin also noted that Essential will offer one year of LifeLock to the affected patrons.

It’s a huge screwup from a company that likes to characterize itself as scrappy and small. But scrappy is one thing, being sloppy with customers’ personal information is another thing entirely.

Other customers, meanwhile, are still awaiting shipment of their preordered phones — Essential had said they were shipping, but it is taking quite a bit longer for orders to arrive than anybody expected.

Update August 30th, 7:54PM ET: This article has been updated to include Essential’s apology for the error.

Comments

The group reply screw-up is one thing, but is asking customers to send Driver’s License or Passport information via e-mail to prevent fraud even a common or accepted practice??

I have never been required to (nor would I ever) send that kind of info to a retailer (let alone an unproven start-up) to approve a transaction, verify address, etc. The only times I have is either when renting a car (License) when it was a necessary part of a job-hiring process (Passport).

Agreed – its absurd that they would even ask for this information in the first place. No way in hell am I sending a photo of any of those items to a retailer just to buy something.

Then don’t buy from companies that ask you. But they’re also not under obligation to send you anything if you don’t verify your identity.

Online credit card fraud is a huge problem for retailers. There’s no chip and pin for online purchases; there are only the various checks that credit card processors do that can warn a retailer of potential fraud. If an order is thus flagged, it’s up to the retailer to verify that that order is legit. And there’s no real way to do that other than by physically verifying that the customer is who he/she says they are.

I’ve worked for various companies that have required this. In all cases, you’re free to fax in your info if it makes you more comfortable (and faxing definitely is more secure), but most people choose to email. There’s not really a more secure way to do it online – web email, at least, is already covered by SSL, so a web form’s not going to be any better.

Any retailer that doesn’t do these verification checks, ships out the order and then receives a chargeback on that order is just going to lose that money. So the bottom line is you either send this info in somehow or you don’t get your order. That’s it.

Most people choose to send their info in because they want their stuff.

It’s fine to do an identity check. It is NOT fine to request personally identifiable information such as driver’s license or social security number by email. Never do that.

They could provide a secure web link where you can upload this info, or one of a thousand other secure options. But asking people to send private data over email, even correctly configured, is a big no-no in infosec land.

is asking customers to send Driver’s License or Passport information via e-mail to prevent fraud even a common or accepted practice??

I doubt it’s common, but I remember two instances of this happening with large companies, one was PayPal, and the other was Adobe. PayPal’s was nearly a decade ago, but Adobe was very recently. (And that’s a company that has a poor track record with customer information as well).

When PayPal asked for my passport, I cancelled my accounts with them. It’s not something I’m ever sharing online.

I just recently had to do this for theme park tickets from the undiscoveredtourist.com. However, they at least had a link to upload your information on to their secure server. They also said to block out some of the important information, so it would be useless if the pictures got leaked.

It’s a common enough practice in B2B fraud-prevention. I’m not sure about B2C, especially for such a small-ticket item. I’ve never been asked for mine, for example.

I’m guessing something about their contact or payment info didn’t match up, so they were using this as a means to verify ownership of the given payment method.

When you’re recovering a battle.net account blizzard has a picture of your ID as an option , but it’s a https web form and not an email.

That’s slightly better but remember that you’re giving them an ID and they have to store it somewhere. Their possession of it is what is most of the problem.

I’m not terribly concerned about blizzard possibly having my drivers license number.

(Continued from my thought above)

Say for example they received an order for a very high number of phones (let’s say 10 or more) on the same card, and the order was to be shipped to a location nowhere near the cardholder’s home address. This may indicate credit card theft. To avoid a potential $7000 chargeback, Essential may do a bit more due diligence than they would on a typical customer.

Makes sense. But if they requested this kind of info from people that just ordered one phone, it’s either very bizarre or another screw up.

It’s neither bizarre nor a screwup. A person may provide the wrong billing address. Or their bank may have a history of problems with their card. Or they may be using an anonymous proxy. Or any number of other things.

Credit card processors and banks know what patterns have historically been associated with fraud, and they will flag those orders as needing additional verification. This all happens automatically. Banks return certain values against specific checks and the processor’s algorithms then examine those for trouble patterns. Sometimes those flags end up being nothing, but sometimes they really do find actual fraud. I’ve worked in mail order in various capacities for close to 20 years and I’ve seen it many, many times.

Totally agree. I have made countless online purchases, many for more than this phone costs, and I have NEVER (nor would I EVER) been asked to send a DL or passport!

I can’t figure out which part of this story is the most shocking – that they stupidly shared highly confidential information, or that they asked for it in the first place. Both are beyond unacceptable.

And apparently they can’t manage to actually ship the phones they’ve been promising since June – at least not more than a handful of units.

What a monument cluster f*$&. I don’t see this brand having much of a future without a big management shakeup. Even then it seems unlikely.

Both are beyond unacceptable.

I’m guessing they included something about "extra personal verification at our discretion" or something in their T&C.

Asking for a DL is a perfectly legit form of identity verification, although generally I wouldn’t think to do it for a $700 purchase (imagine if Target or WalMart asked for your DL every time you bought something. User-hostile and stupid, indeed!)

But asking for them via email is just plain sloppy. A company worth $1bn should at least be using some sort of secure file transfer service. Even faxing it in would be safer.

I don’t care what their terms say, it’s not ok to request digital images of sensitive documents over email… for obvious reasons. It’s very different from a cashier glancing at your ID at Target. I am a heavy online shopper and I have never encountered this shady practice. It’s highly unusual, and clearly not a good idea. If this debacle doesn’t prove that, I don’t know what would.

Well yeah, clearly it’s unacceptable to request it via email at all. That was bad enough, and made 1,000 times worse (or more, literally) that they apparently sent the requests as a group message instead of individually.

And this is supposed to be a cutting-edge tech company selling a product that people may be storing sensitive information on…

Exactly. They can’t even figure out email.

I just had flashbacks to asking to see people’s DLs whenever I received a check as a grocery store clerk a half of a lifetime ago. We were all so used to the request 20-30 years ago & it still almost got you punched in the face every single time!

It’s surprising to me that you can’t tell which is worse – leaking PII or asking for DL information to prevent fraud. You are unnecessarily shocked at the latter practice – really man, it’s a thing.

I had to fax a copy of my license to Amazon recently after being a customer for years. They sent me two strangely worded emails that looked like a phishing scam so I ignored them until I couldn’t login my account a few months later.

Only when I was buying a $1000 Dell gift card.

right? just set up a freaking upload form and have people do it that way. Even if their emails didn’t get sent to every other person in the email group, what might happen to that image of the driver’s license down the line? And emails are notoriously unsafe as well

As if a newly launched company trying to sell a yet unproved product really needed that kind of coverage… Huge screw up indeed.

View All Comments
Back to top ↑