No matter how careful you are with your data, it only takes a single company to mess up to expose your private details. Back in May of 2017 this happened to me and at least 704 others that I know of.
Doxing (from dox, abbreviation of documents), or doxxing, is the Internet-based practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual or organization
Thats a cool product
At the end of 2016 I became aware of a really cool product called AirBlock. A drone and hovercraft that can be programmed with a Scratch like programming language. This type of product really gets me going as I love to play with these types of toys together with my 5 year old.
In total 5307 other people believed in this project to fund it all the way. It was supposed to ship out in february of 2017.
On February 6th a survey was sent out. It there were some questions regarding the product and, of course, the shipping address. This is a normal procedure for crowdfunding projects, so nothing out of the ordinary here.
It allows a crowdfunded project to clean up their data, offer additional products for their project and ensure that the product is sent to the correct address.
After you fill in the survey a small amount of time should pass until the product is received.
The long way
After a very long, and quiet, period finally there was a positive update; shipping started! Like me, there were countless of people waiting for a delivery, the comments page was full of “how long will it take?” posts.
And then it happened…
Getting 704 addresses
On May 11th I received a mail with the title “The Waybill of your Airblock - From Makeblock”. Great, I thought, it will be here soon! I opened the mail and I could not believe my eyes; attached was an Excel sheet with data on 704 shipments to the EU.
The sheet contained the backer number, a tracking number and the courier, in this case they all were UPS. The email told me to look up my backer number and then use that tracking code.
What can you do with a tracking number?
You might not immediately see the harm in obtaining tracking numbers, but once you load it up on the courier page you get a person’s address details.
That is some great piece of information, right? You can also request the package to be delivered elsewhere. It can turn really nasty, really fast.
After delivery most sites offer a proof of delivery, which tells you exactly when it was delivered and in some cases the authograph of the person who signed for it.
In the comment section of the project many people willingly share their backer number, thinking it can not be used to identify about you. Using the sent excel sheets a user can reveal more than you probably wanted.
Disclosing to makeblock
Of course I immediately emailed the company to alert them of this issue, but my notification went without response. It has been 2 months since my notification, since the notification more emails with the Excel files have been sent (see below).
In the comments section I read that more people received this exact email.
Some people actually tried to help others find their order.
Enough time has passed for all the packages to be delivered, so I feel free to share my story. Other crowdfunding projects might learn from this, no matter your motives, you should never send this type of information to all your customers, make sure you send tracking information only to that specific customer.
With the new EU legislation for General Data Protection Regulation this could also be quite a costly mistake by any company. So please take the security of the data of your customers seriously.