Onewheel Sent Thousands of Customers’ Private Data to Random Customer

A company that sells an electric skateboard mistakenly sent a customer the private data of thousands of other customers, including full names, email addresses, and home addresses in what appeared to be an email copy paste snafu. 

On Monday, a customer reached out to Onewheel's online support asking for the link to register his new board for warranty purposes. But instead of sending him the link to the registration form, a support representative replied with a link to a spreadsheet containing responses to that registration form, which included hundreds of customers' private data, Motherboard has learned.

The Google Spreadsheet was shared in a way that anyone with the link could see it, even if they could not modify the data within it. The spreadsheet had more than 50,000 entries dated from 2014 until Monday of this week, according to a video the customer sent to Motherboard. Motherboard verified the information in the spreadsheet by contacting a handful of customers included in it. One of them confirmed he is a Onewheel customer, and also confirmed the date he registered the board with the online form.

Google Documents and Spreadsheets are set to private by default, and users need to manually change that setting to allow for anyone with the link to see them.

The customer who received the spreadsheet, who asked to be referred only as Daniel for fear of retaliation and to protect his privacy, immediately alerted Onewheel.

"I have privacy concerns now with regards to providing my information to you all, considering the spreadsheet provided to me has everyone's First and Last name, including their serial number of their Onewheel," Daniel wrote. "I'm definitely not trying to get anyone in trouble but if possible, before I provide my information for warranty purposes, you could provide me information on how you'll keep my information private and safe."

Onewheel's director of customer services Ian Scott admitted the mistake in a follow-up email to Daniel, and said the link "has been removed" and added that "all personal data is stored internally and is not accessible to outside sources."

There is no evidence that anyone outside of Onewheel—except for Daniel—got the data too. Daniel said he only shared the video with Motherboard, and was planning to delete it. 

After Motherboard reached out to Onewheel asking for comment, the company declined to specify exactly how many customers were included in the spreadsheet, nor whether the company plans to notify them of the incident. 

"The privacy and security of our customer data is of paramount importance to us. We recently became aware that some Onewheel customer data was inadvertently disclosed in response to a request from a customer," the founder and CEO Kyle Doerksen said in a statement sent via email to Motherboard. "This involved a small minority of our customers and did not contain sensitive information such as social security numbers, driver’s license information or credit card information. Upon notification of this disclosure we immediately took action to address it, including taking steps to ensure it does not happen again and improving our data security and privacy protocols.” 

"This is quite disappointing, and shows that they don't have the necessary safeguards in place to protect their customers' information," one of the Onewheel customers included in the spreadsheet told Motherboard. "They should be called out for that and put processes in place. Creating cool products is awesome but amateur corporate/admin work should not be tolerated in the 21st century."

Subscribe to our cybersecurity podcast, CYBER.