Essentially Stupid: Essential Leaks Customer ID Data

In case you haven't heard, one of the dopiest screwups in tech history stumbled stupidly into the news yesterday. Andy Rubin's new hardware startup, Essential, has massively borked what should be a relatively simple order fulfillment process in shipping their new smartphone. What happened is just so unimaginably wrong in so many ways. There simply are not enough facepalm memes in the world to express the magnitude of imbecility on display in this debacle. Let's walk through what happened. Perhaps other companies can learn from these mistakes. For the love of all that is dear, please learn from this.

First, Essential began sending out emails to pre-order customers to notify them that their phones would begin shipping. At this early point in our tale, we will—already—be turning away from sanity, and we will begin a loopy crazywalk through the Land of WTF: many of these customers were asked to confirm their identities by emailing the company photographs of their driver's licenses.

I am now pausing for emphasis.

Why in God's Hot Green Hell would an e-commerce operation even need to confirm identity with a driver's license in the first place? Even more perplexing (to those of us with central nervous systems): they asked for ID's over email. They didn't request that this highly sensitive personal data be sent via a decently configured, TLS-encrypted browser session. They asked for it via email.

I am now pausing for emphasis once again. Just ponder the vast stupidity of the above for a moment. Close your eyes. Clear your mind. Savor the stupidity of it all. Revel in it.

OK, open your eyes again.

There is no scenario I can imagine in which a retailer would need to verify identity in this fashion. Credit card processors do not ask for this information. It simply makes literally zero sense.

Are you ready for some more stupid hijinx? Get a load of this: due to a misconfigured instance of the popular ticket-tracking system Zendesk, when customers began dutifully emailing photos of their driver's licenses to Essential, the photos were sent to at least 70 other customers who were on the same list.

I just can't go on. But I will.

At first, many in the press and on social media began to assume that all of the above was a phishing scheme. Perhaps some clever attacker had compromised Essential's systems and had gathered the email addresses of their customers. Perhaps this theoretical attacker sent emails to those customers asking for ID photos, which could then be used in identity theft schemes. It's plausible enough, and it would explain the scenario very neatly. What a relief, the Sane Ones told themselves. Just a phishing scheme.

Except it wasn't. Examination of the email headers seemed to indicate that the messages came from Essential-controlled servers. And then, Andy Rubin fessed up to it all:

Yesterday, we made an error in our customer care function that resulted in personal information from approximately 70 customers being shared with a small group of other customers. We have disabled the misconfigured account and have taken steps internally to add safeguards against this happening again in the future.

Oh, good. They took steps! Nothing else in their operation is dripping with Liquid Crazy. Nope, nosiree. Everything else is totally smart, not stupid at all. Nothing further to see here. Rubin continues:

We sincerely apologize for our error and will be offering the impacted customers one year of LifeLock.

Andy, that should just fix everything. Credit monitoring: what a relief.