Essential apologizes for 'humiliating' customer data leak

The new smartphone firm managed to phish its own customers.
Written by Charlie Osborne, Contributing Writer on
(Image: Essential)

Essential founder and CEO Andy Rubin has apologized for a "humiliating" security failure that led to the leak of information belonging to customers.

Essential touts itself as "creating solutions for the way people live in the 21st century," and the firm's first offering, a modular smartphone, is designed to stand out from the competition by eradicating bloatware and offering long battery life.

With shipments winging their way to customers, Essential made a catastrophic, and frankly, sloppy mistake that has placed the personal data of customers at risk.

On Wednesday, the CEO said in a blog post that information belonging to roughly 70 customers was accidentally shared with other customers.

It was not just email addresses and names, however. In some cases, driver license and IDs were also freely shared.

This week, early adopters of Essential smartphones warned on Reddit that an email claiming to be from the company was asking for sensitive documents, such as copies of IDs and driver licenses, to verify their subscriptions.

In part, the email said:

"Our order review team requires additional verifying information to complete the processing of your recent order. [..] Please provide an alternative email and phone number to confirm this purchase.

We would like to request a picture of a photo ID (e.g. driver's license, state ID, passport) clearly showing your photo, signature and address."

Many believed this to be a phishing scheme, specially crafted for new Essential customers and designed to steal their sensitive data.

As one Reddit user noted, "no company in their right mind (at least none that want to stay in business) would ever send an email asking for personal details like an ID/Passport." However, Rubin has since admitted it was the company's error and not a threat actor.

To make matters worse, those who replied were pinged through a poorly configured Zendesk setup, which CC'ed responses to other customers.

"Being a founder in an intensely competitive business means you occasionally have to eat crow," Rubin said. "It's humiliating, it doesn't taste good, and often, it's a humbling experience. As Essential's founder and CEO, I'm personally responsible for this error and will try my best to not repeat it."

"We have disabled the misconfigured account and have taken steps internally to add safeguards against this happening again in the future," the executive added.

Read also: LG V30 first impressions: Gorgeous dual camera phone built for creators
| ReachCase for Samsung Galaxy S8: Maximize signal performance while adding drop protection | Mint SIM hands-on: Prepaid service with longer term discounts partners with Best Buy

The Samsung Galaxy Note 8 is the most expensive smartphone today. In order to reward loyal Note 7 owners who had to return their devices last year, Samsung is offering a compelling upgrade program.

In an attempt to keep customers sweet and show that they are taking the security issue seriously, the company is offering impacted customers a year of LifeLock, an identity theft protection service, for free.

For a new company to make such a daft mistake, this may not be enough -- although the executive also said on Twitter that free phones may be in the pipeline, too.


"I remain heartened and motivated by the groundswell of support that Essential has experienced since unveiling the company on May 30th," Rubin says. "We continue to believe deeply in our vision and the innovation we are bringing to life via our Home, Phone and 360 Camera products. I humbly thank our customers and channel partners for your patience and understanding as we proceed with the launch of our first products."

It isn't good enough, especially for a company looking to take on established players such as Apple, Samsung, and Huawei. We will have to wait and see if Essential learns from its mistake.


    Google awards student $10k for discovery of App Engine data leak flaw

    An Uruguayan student found a bug which could have allowed the leak of sensitive data.

    Security experts warn of account risks after Verizon customer data leak

    Thought your email, social media, and bank accounts were safe with two-factor authentication? Think again -- your phone account will likely be the biggest point of security failure in your life today.

    Editorial standards