I recently received a letter from a local Lexus car dealership via snail mail. The letter began, “Dear Allan, this is an important notice concerning anyone who may own a (specific year) (specific car make and model).” While I don’t often read junk mail, let alone open it, I quickly saw that this piece was different.
On the outside envelope, there was a URL with my name included in the URL – so I was curious. And in the letter, my current vehicle was referenced: the year as well as the make and model were all correct. Also note, the letter was addressed to me with my (correctly-spelled) first name (unfortunately, it is misspelled more often than not), middle initial, and last name – and also included my accurate full mailing address. By now, you are probably shaking your head, as I was too.
Lastly, the call to action was an offer to buy or lease a new Lexus with a $1,500 discount – a discount that could only be obtained by visiting a website that was created just for me and included my full name as part of the URL. The sentence in the letter stated, “Visit your personal website to view more information on your exclusive offer and to register.”
On the landing page that included my name, two things were requested: my email address and phone number. Sorry, Lexus, this tactic is not the correct way to get these two pieces of personally identifiable information (PII) – especially from someone who works in the infosec world and advocates for online safety, privacy, and security 24/7.
I discussed this direct mail piece with Rebecca Herold (@PrivacyProf on Twitter), internationally-known privacy expert and fellow privacy advocate, and she agreed, “Looks like a new marketing scheme, and the way they are doing it appears to be skirting CAN-SPAM violations. I suspect we’ll be seeing more of these incredibly invasive types of marketing activities.”
So, the question is, did Lexus purchase a list of current customers from my existing dealer? Or did Lexus purchase the addresses of local residents with the details about their vehicles from the Department of Motor Vehicles (DMV)? While I have attended the annual Los Angeles Auto Show in the past, I have never given my name to Lexus – so did Lexus purchase a list of all attendees from another manufacturer where I might have provided my details?
Any way you look at this, it’s disturbing. At the very least, it appears that Lexus has crossed the privacy boundary line. Have you ever seen anything like this in your industry?
Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. His expertise includes the installation and maintenance of all aspects of the PC and peripheral lifecycle and the planning and integration of end-to-end security solutions. Allan also teaches both the CompTIA A+ and the CompTIA Security+ certification courses, and has been quoted in industry publications. Follow Allan on Twitter and on Facebook.