Dieter Bohn, the Verge:
Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud.
Dozens of customers replied with their personal information, but those emails didn’t just go to Essential; they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.
The incident is being reported as phishing by many outlets, because it looks and smells quite a lot like a phishing attempt: a weird request for personal information. After examining the email headers, it doesn’t look like this was an actual phishing attempt. It seems much more likely that this was a colossal screw up, the result of a misconfigured customer support email list.
It’s one thing to be late to ship preordered phones; it’s another to be late and uncommunicative. But this is almost cartoonishly sloppy.
Even if everything were correctly configured and this didn’t send replies to everyone in the thread, Essential should still have not requested users reply to an email with extremely personal information, like a copy of their driving license. Because it looks like a phishing attempt, recipients either won’t comply or are required to lower their defences. A better approach would be to request users send their driving license separately via a form or similar on the official Essential website in a way that would be accessible from a menu. That way, it makes it far clearer that this is an official and more secure request.