For years, Amy Kono, a 35-year-old project manager from California, has been getting emails from US telecom Sprint that aren't meant for her. She doesn't get them frequently -- she estimates she's received 30 or 40 over the years -- but they contain other customers' leasing agreements for new phones and cell service agreements, which often include sensitive information like addresses, phone numbers, and other billing information. She's contacted Sprint several times about the problem, but it just keeps happening.
Kono's theory is that she gets the emails when customers decline to provide an email address when they visit a Sprint store, and Sprint employees are filling in her email address instead. Her email contains the word "sprint" and a brief string of numbers, which employees are likely entering into their point-of-sale systems thinking it's a dummy account. But it's not, and Kono winds up holding the transaction records.
"The issue is store employees using my generic-seeming email address for the customers' security contact email," Kono told Gizmodo. "I've spoken to Sprint three times -- each time they promise to fix the issue, but it keeps happening. They don't seem concerned at all that some customers' have their info sent to random emails."
The first time she received one of the messages, Kono thought it was some kind of phishing scheme. But as the messages kept rolling in, Kono got annoyed -- then worried. "I also had a paranoid idea that I could somehow be implicated if these customers did end up having their identities stolen," she explained.
During one of her phone calls with Sprint customer service, Kono says she was advised to call all of Sprint's stores or visit them in person and ask them not to use her email address as their default when customers don't want to provide their email. This is a ridiculous suggestion: In 2015, Sprint announced it had reached 4,500 retail stores.
At one point, Sprint told Kono they would block her email address from their system -- a problem because Kono herself was a Sprint customer and wanted to receive emails for her own account -- but she kept receiving the emails even after Sprint said her address was blocked. "After about two years of trying to get them to do something about it, I feel powerless," she said.
A Sprint spokesperson told Gizmodo in late September that the issue had been fixed, but declined to say what the company had done to prevent the emails from being sent in the future, citing Kono's privacy.
"After investigating what happened with the email address you provided, it seems there was a human error when the customer's information was entered at the point of sale. Thank you for bringing this to our attention, and we have taken steps to resolve the issue," the spokesperson said. Gizmodo asked what steps had been taken, and the spokesperson replied, "In order to protect their privacy, we do not typically disclose details of customer accounts. However, I can confirm that the issue has been resolved, and this customer should no longer receive email communications to that account."
Kono then contacted Sprint and asked the company to share how it resolved the issue with Gizmodo. Instead, Sprint spoke privately with Kono. "They are only willing to remove the customer account from my email each time it happens, but the woman who reached out to me said she knew nothing about changing store policy. She even claimed it was a one-time technical issue," Kono said. "They still didn't understand that this has happened to me multiple times."
Then in October, after Sprint had promised the issue was fixed, Kono got more emails from Sprint intended for yet another customer.
"I am not able to give you specifics, but I resurfaced this with our Care team again," a Sprint spokesperson told Gizmodo when asked about the new set of emails.
Some companies will register or attempt to buy email accounts with names that mimic their corporate branding so that the accounts can't be used to target unsuspecting users in phishing schemes. And some users with common names will often end up receiving email that's not intended for them. In 2008, a man who had registered "[email protected]" as a joke was forced to give up the account because it was inundated with messages during Barack Obama's first presidential campaign. But it's unusual for a company to show so little concern about an email leak.
"I've never seen something like this," Amul Kalia, a staffer at the digital rights organisation Electronic Frontier Foundation, told Gizmodo. Kalia is consulting with Kono to try to stop the data leak.
"I think it's pretty alarming that Sprint doesn't have any quality controls or a mechanism to make sure customer's private information doesn't make it into the hands of someone else," Kalia explained. "We know computer security is not perfect -- sometimes you will get hacked. This is something the company is doing deliberately."
Gizmodo contacted one of the Sprint customers whose contract had been emailed to Kono. Through his girlfriend, who translated our conversation between Spanish and English, the customer said that Sprint had never contacted him to inform him that his data had been inadvertently leaked. He also never received any copies of his contract to his actual email address.
Because the leaked information doesn't include Social Security numbers or driver's licence numbers, Sprint likely isn't required to disclose the leak under California law.
"While Sprint may not have an obligation under CA law, this was still a breach because people's personal information was disclosed," Kalia said. "It was a weird breach in the sense that this is a very bizarre situation, but nonetheless the Sprint customers who signed these contracts likely didn't expect the information to end up with a random person due to the company's actions.
"What is the company doing to remedy this situation and why was it happening in the first place? It won't violate anyone's privacy for it to admit a mistake and that they are fixing it to ensure it doesn't happen again."
Kono said Sprint has not contacted her since the most recent emails arrived in October. "I've felt helpless about this issue for so long," she said. "Three times they have told me they resolved the issue, so it's hard for me to believe them."