You don’t realize how much of your data is vulnerable until a company you trust accidentally spills it. Twice. When that slim opportunity to grab user information presents itself, malicious entities don’t hesitate to exploit it. Although this wasn’t the case with Fairphone, it could’ve easily been.
A survey leak no one signed up for
Dutch smartphone maker Fairphone accidentally shared the personal information of 24 beta testers in two separate incidents. It started with the misconfiguration of an online form used for a beta testing survey. It’s unclear what exactly was being tested, but participants could see each other’s responses.
Now, if you’ve ever taken an online survey on anything, you’d know that this is wrong on many levels. Surveys are supposed to be private and the responses accessible only to the person collecting them. Yet, Fairphone’s mistake unveiled names, email addresses, home addresses, phone ownership details, telecom operators, and even IMEI numbers.
Their assurance is that no outsiders, such as hackers, third parties, or the general public, had access to the leaked information. But just because the other testers aren’t hackers doesn’t mean they can’t misuse the data.
Someone could use an email address for spam, a home address for unwanted contact, or an IMEI number for fraudulent activities. The use cases are limitless. Legally, under the General Data Protection Rights (GDPR) and other regulations, it still counts as a leak since there was unauthorized disclosure, regardless of how small the mistake is.
How fixing one leak created another
In their defence, Fairphone quickly identified the survey user data leak. The issue happened between March 3rd and March 4th; they discovered it on March 4th at 4:00 PM. The exposure lasted less than two days before they took action.
They restricted access to the form responses, corrected the misconfiguration, and implemented additional security measures to prevent it from happening again.
Fairphone sent a follow-up email to affected users to clean up the mess further. However, things worsened when they used the “reply all” feature. Every recipient could then see the other affected users’ email addresses. That’s like your therapist sending a public message to all their patients. Knowing that others now have your name and learning how to reach you is a violation.
If they had used Blind Carbon Copy (BCC), it would hardly have been an issue since each recipient would have received the email privately. Although the damage is done, Fairphone advises you to stay cautious of suspicious activity and contact them at their privacy email (privacy@fairphone.com) for more details.
In the future, be cautious about where and how you share personal information. Create a secondary email specifically for beta programs or surveys if you have to. Sometimes, the email you use depends on the purpose of the study. If the survey requires accurate product testing or delivery details, using fake information could affect its legitimacy.
You can also limit the information you share by providing general details instead of specifics when possible. Instead of your complete home address, enter your state or country if that suffices. For phone numbers, use a burner number or a VoIP service.
