Dear MAP Team: I Think You've Got The Wrong Number

The vibe

You know how some emails are obviously marketing automation or straight up phishing? Branded headers, unsubscribe footers, copy doing that little dance where every sentence ends with an exclamation mark like a hostage trying to seem cheerful? Or some Nigerian prince trying to get your social security number?

This wasn't that.

This was the email equivalent of getting a text from your mate at 2am that just says "did u send" with no further context. Plain teal Courier New on white. Five paragraphs of nothing. A zip file attachment named, and I am not making this up, DataExtract_UKRaceweekends100bonuspointsSVPversion.csv.zip. Signed off, with the bright-eyed confidence of someone who has never had to think about a regulator in their life, "MAP Team".

The body, in its full literary glory:

Hello, Here is the information you requested, Please find the data in the file attached. Best Regards, MAP Team

I did not request this information. I did not request fuck all. I bought some petrol at some point in 2025 (I own a fucking EV) I signed up to Shell Go+ because they had a deal on. That is the full extent of my relationship with Shell. It is not, by any honest reading, a "send me your raw campaign data extracts" kind of relationship.

The pause

There's a specific pause that happens when you realise an email is from a real company but is also clearly not for you. It's the same pause as when you accidentally walk into the wrong meeting room and someone is mid-sentence about Q3 forecasts. Your brain context-switches from "oh good, mail" to "oh no, I'm now witness to something I shouldn't be witness to and what the fuck do I do".

I did the only sensible thing. I didn't open the zip.

I want to make this clear because it's the most important sentence in the whole post: don't open the zip. The moment you open it you become, under UK GDPR, someone processing other people's personal data without a lawful basis. Small problem if you do it once by accident. Bigger problem if you then, say, do a triumphant blog post about exactly what was in it.

So the zip stays sealed. Schrödinger's GDPR violation. Simultaneously there and not.

Fuck. That. I ain't no Data Controller.

The forensics

I'm a nerd by trade. The temptation to dig in just to be sure was, frankly, fucking unbearable. Real fucking unbearable.

What I could do without opening the file was inspect the headers. The full RFC 822 source is a thing of beauty if you have weird hobbies like mine. And what the headers told me, in increasing order of "yep that's the real Shell":

• The sending IP (130.248.154.147) sits in Adobe's published Experience Cloud netblock
• The DKIM selector is neolane, which is the corporate dad-jeans selector Adobe Campaign Classic has used since they bought Neolane in 2010 and never bothered renaming
• The X-Mailer literally says nlserver, Build 8.9.2, which is Adobe Campaign Classic v8.9.2
• The Message-ID has the host shell_mid_prod6, which I'm fairly confident means "Shell production marketing automation node, number 6"
• DKIM, SPF and DMARC all aligned cleanly
• The Adobe Audience Manager tracking pixel embedded in the body has a real campaign ID (Mid_4330285) tied to Shell's actual Adobe Org ID

This is not a phish. This is somebody, somewhere inside Shell, in their actual genuine licensed Adobe Campaign tenant, hitting send on a workflow that had a customer's email address where an internal reviewer's email address should have been. Most likely scenario based on the filename: a draft data extract prepped for SVP review (the filename literally has "SVPversion" in it) that got pushed through the live customer send pipeline instead of the internal review one.

In other words: I am the SVP now. Where's my fucking payrise?

The wholesome part

I forwarded the email, unopened, to abuse@shell.com and dpo@shell.com.

dpo@shell.com bounced. Who the FUCK doesn't have a dpo@company.com address?

It bounced with 550 5.1.10 RESOLVER.ADR.RecipientNotFound, which is Microsoft Exchange's tasteful way of saying "mate, that mailbox doesn't exist and never has". A FTSE 100 oil supermajor does not have a dpo@ mailbox configured. They have a privacy office. They have a Cyber Defence team with their own dedicated DMARC reporting inbox. They have an entire enterprise DMARC pipeline piped into Validity Everest. What they do not have is the single most obvious imaginable email address for the single most obvious imaginable purpose.

After a quick check of Shell Go+'s actual published privacy notice I re-forwarded the lot to privacy-office-SI@shell.com, and now the 72-hour clock is ticking. Not my clock. Shell's clock. UK GDPR Article 33 says personal data breaches affecting individuals' rights need to be reported to the ICO within 72 hours of the controller becoming aware. They became aware roughly four hours after I did, which is genuinely wild considering I'm just some bloke who buys their unleaded.

What I learned

A few things, none of them flattering to anyone:

1. Misdirected emails are the leading cause of personal data incidents reported to the ICO. Has been for years. The threat model that keeps a typical UK business's DPO awake at night isn't ransomware crews from Pyongyang. It's Karen in marketing fat-fingering an Outlook autocomplete on a Tuesday morning before she's had her second coffee.
2. The hardest single thing about being the accidental recipient is the curiosity. Dumb monkey lookie-see-lookie-do brain genuinely wants to know what's in the spreadsheet. You have to override it consciously, like resisting the urge to read the comments under a YouTube video about vaccines. Or influencers. Fucking influencers.
3. The infrastructure underneath modern marketing automation is genuinely impressive. Adobe Campaign Classic is a properly serious bit of kit. The infrastructure also has one single load-bearing element: a human, clicking. Humans, as a load-bearing element, remain notoriously soft. Squishy. Flesh is weak.
4. Big enterprises will spend six figures on Adobe Campaign Classic, seven figures on their security stack, eight figures on their DMARC analytics, and still not configure dpo@ as a working mailbox. Defence in depth, except all the gates are unlocked because... well. nobody remembered to cut the key or whatever. Fuck that inbox in particular.

What happens next

Honestly? Probably nothing dramatic. Shell's privacy office will pull the campaign send log, work out how many people accidentally got the file, file an ICO notification if the count is non-trivial, and quietly send an apology. The MAP team will have an extremely tense Teams call. Someone will be tasked with writing up a process improvement memo. A workflow gate will get added. Life will go on while I furiously chant to myself.

I will not open the zip. I will not open the zip. I will not open the zip.

If you receive a weird email from Shell with a CSV attached, you also should not open the zip. Or do. Your lawsuit.

If you ARE on Shell's MAP team and you're reading this thinking "oh fuck", drop me a line. I'm not angry. I'm not even disappointed. Mostly I'm just amazed that dpo@shell.com doesn't exist.

My socials are on my about page.