Essential Smartphone Leak: Company Accidentally Shares Customer Driver’s License Numbers

Startup phone manufacturer Essential appeared to suffer a significant screw up on Tuesday evening when the company accidentally shared the driver’s license numbers of its customers with others via email.

The mistake took place after Essential contacted a number of its customers who preordered the company’s first smartphone. Essential asked the customers for a copy of their driver’s license in order to verify their address as an effort to prevent fraudulent purchases or shipments made to the wrong address.

However, when customers replied to those emails with personal information—including their full driver’s license—the reply didn’t just go to Essential; it was also sent to every other customer who received the email asking for the information.

The incident bears some of the markings of a phishing attack, and a number of users appeared suspicious of the email when it was first received. It’s rare for a company to ask for personal information to be disclosed via email, especially a copy of a personal document like an ID card.

Ron Schnell, Professor of Computer Security at Nova Southeastern University, said in a post on Reddit his analysis of the email suggested it was real and the incident was not the result of an elaborate phishing attack but rather a misconfiguration of the company’s email server.

“It is not a Phishing scam. It is a misconfiguration,” Schnell wrote on Reddit. He noted the DomainKeys Identification—a means of authenticating an email’s original sender—confirmed the message came from Essential, but replies were mistakenly being sent to everyone who received the original email.

“I've accumulated quite a collection of D/Ls, Passports, credit card statements, phone numbers, and e-mail addresses,” Schnell said. “This is unbelievable.”

Another point of evidence pointing to a misconfiguration is how the emails have appeared in people’s inboxes. When someone replies to the original email, it is delivered to other members of the email group from the an Essential support email address, support@essentialsupport.zendesk.com. The address, operated through customer service portal Zendesk, forwards every reply to the group instead of just delivering it to Essential.

The mistake in and of itself is troubling as it reveals a significant amount of personal information to other people who could potentially use it for malicious purposes. The information is unredacted and could easily be used to commit fraud—an ironic result given the original request was intended to combat fraud.

Almost equally as frustrating for customers as the mistake is Essential’s lack of response to the incident. The company has essentially been silent, save for a single tweet sent early Wednesday morning acknowledging in the vaguest of terms that a problem occurred.

“We’re aware of & looking into a recent e-mail received by some customers. We’ve taken steps to mitigate & will update with more info soon,” the tweet said.

While the tweet provides next to no details, it does acknowledge that some sort of incident took place with emails sent to customers and it doesn’t refer to that incident as a scam or phishing attempt. The company also notes it has taken “steps to mitigate” the situation, suggesting it is in fact an issue caused by an internal error.