3 months ago I received an email that got my attention. I subsequently wrote a blog post about it. To make a long story short I suspected the disposable email address I used exclusively for Ledger Card leaked somehow because I got a suspicious email on that address. Later on, I found out the source of the problem lay in Baanx, Ledger's business partner.

Baanx informed the email I got had been sent by a legitimate project, which is a partner of Baanx. I neglected to check the project carefully — that’s on me!

However, it’s only one part of the issue.

The email message came unsolicited to the address which shouldn’t be used for this type of communication. There is no doubt Baanx failed to handle my email address properly. While Baanx might see it differently, I believe this specific mailing campaign reached others as well. However…

The breach probably did not happen

We exchanged a few messages and had video calls with Baanx. I learned a lot of details, which I won’t provide here. The common part of our conclusions is that there was a human error during the handling of marketing email campaigns.

Most importantly, Baanx said they investigated the case, fixed a software bug, and cleaned up internal processes. Here is part of the email I got from Baanx:

There definitely were some "human error" learnings here on our internal processes that were cleaned up, so I thank you for reporting the issue.  No other customers or waiting list participants contacted us, so it appears to be a single edge case - at least from reports.

While I think they could do a bit better, I believe them.

The end of this story is positive. Something that looked like a data breach turned out to be a relatively harmless human error. That’s a relief!

A special thanks to Scott Carlson from Baanx for his diligent management of the situation.