One big lesson from the Essential smartphone email fiasco

Credit to Author: John Brandon| Date: Thu, 31 Aug 2017 13:52:00 -0700

The term “improperly configured” is a real plague on the IT landscape.

It can refer to a firewall protecting an enterprise; it can create problems on a web server. For one newly minted smartphone company, it can also look pretty embarrassing.

Essential phone recently sent out an email to customers asking for proof of identity. This request was a little odd in the first place–who does that anymore? The email basically asked customers to send a picture of a photo identification or passport by email. From a security standpoint, that’s a bit like asking people to text your credit card number to a hacker.

Where things really went south, though, is when those customers who responded to the email realized they had transmitted that security information to everyone else on the email chain.

Essential later admitted the error and said it was due to a configuration problem on a ZenDesk support email. Oops. At first, it seemed like a hacker had dome some dirty work.

Andy Rubin, the famed Android creator and founder of Essential, sent out an apology:

“Being a founder in an intensely competitive business means you occasionally have to eat crow. It’s humiliating, it doesn’t taste good, and often, it’s a humbling experience. As Essential’s founder and CEO, I’m personally responsible for this error and will try my best to not repeat it.”

Here’s where things get interesting, though.

The problem with the whole fiasco is that it should never have happened, even at a small company. For starters, who was testing the email process? From what I understand about how emails are often sent out to customers — especially an email newsletter — there’s typically a test to make sure everything works and to get approvals from stakeholders. For example, you send out a test email to a few people first and make sure everything works, the formatting is correct, the sender looks legit, a reply works, and the links operate as expected. Accidents happen. That’s why, for a newsletter, companies do a test run to see if there are any anomalies. It’s not really acceptable to say the accident happened “live” with the real email.

You could say–it takes time and effort. But that’s not really an excuse if you plan ahead a little. If a mass email needs to go out on Friday, you can schedule a test for Thursday, fix the problems (in Zendesk, or MailChimp, or whatever tool you are using) and then proceed.

More than anything, it makes me wonder how much the company tested the phone itself. Hopefully, if you bought one and need support, you won’t find out it was a mistake.

http://www.computerworld.com/category/security/index.rss