Amazon Snafu Exposed Customers' Names and Email AddressesScant Detail About Incident and Unusual Notification Raises Eyebrows
Amazon has blamed a technical error for its inadvertent exposure of some customers' names and email addresses online, and it says the problem has now been fixed. The online retailing giant maintains that its systems were not breached, and it says that it has emailed a notification to all affected customers.
"We have fixed the issue and informed customers who may have been impacted," an Amazon spokesman tells Information Security Media Group.
Amazon declined to specify how many people were affected, in which regions of the world they live or whether it has alerted any regulators about the data exposure. Based on posts to Twitter from customers who received a notification, it appears that the data exposure at minimum affected individuals in the U.S. and Europe.
The scant information issued by Amazon about the incident has raised some eyebrows, especially because consumers are becoming increasingly attuned to data privacy issues, thanks to many countries strengthening their data protection laws.
It's not clear whether Amazon's data exposure would require the online retail giant to directly notify affected U.S. residents. Every state has slightly different rules and requirements for when that needs to happen.
Washington state, where Amazon is headquartered, requires that organizations that suffer a data breach or inadvertent data exposure notify affected residents as well as the state's attorney general's office within 45 days of discovering the incident. The law applies to breaches affecting 500 or more people.
The state defines a breach as being an unauthorized acquisition of data, according to the law firm Perkins Coie. No notice is required if the breach does not disclose information that could result in a risk of harm to consumers, the law firm writes.
Because Amazon says the exposure was the result of a technical problem rather than a malicious action, it would appear to avoid the first threshold under Washington state's law.
The types of personal information the state of Washington considers to qualify for a mandatory data breach notification are first names, first initials and last names that are leaked in combination with another piece of sensitive data, such as a Social Security number, driver's license number or bank account details. Email addresses are not mentioned.
GDPR Now in Full Effect
The scene may be different in Europe, however, where the General Data Protection Regulation took effect in May (see: Fresh GDPR Complaints Take Aim at Targeted Advertising).
GDPR now stands as one of the most strict regulations in the world when it comes to how organizations must deal with leaks, and violators face the threat of severe potential penalties. GDPR requires organizations to report incidents to an appropriate regulator within 72 hours of discovering them.
Under GDPR, email addresses - even ones that are work-related - are considered personal data, according to an analysis published by the U.K.-based law firm Beswicks Legal.
The Information Commissioner's Office, which enforces GDPR in the U.K., didn't immediately respond to a request for comment. But it told the Register on Wednesday that it had yet to receive any notification from Amazon, and it noted that choosing whether the data exposure would meet GDPR's mandatory breach-reporting threshold would be up to Amazon (see: Europe Catches GDPR Breach Notification Fever).
Regardless of data security laws, Amazon's leak of email addresses could put customers at risk from phishing attacks, says Colin Bastable, CEO of Lucy Security. Phishing emails continue to be devastatingly effective at duping people into divulging their login credentials to attackers.
"Most U.S. households have an Amazon account, and as we know, consumers recycle the same three or four passwords over most accounts," Bastable says. "Cybercriminals can now start to build consumer profiles to rival Facebook, Google and Amazon, with significantly heightened online risk for all consumers."
In fact, some security experts have been warning that many gangs likely already possess such profiles, which they use to facilitate identity theft, money laundering and other criminal activities.
Suspicious Email, From Amazon
Some Amazon customers posted the email notification they received on Twitter, and many had immediately spotted an oddity.
r/t Amazon warns customers it leaked their names and email addresses. What aren't you telling us Amazon, and why? https://t.co/64p2OACVQm— Graham Cluley (@gcluley) November 22, 2018
Although Amazon encrypts connections over the web - signified by "https" being in the URL window - the signature block of the link to Amazon within the email doesn't have that. Amazon says the emails are genuine. But it appears that they may have been hastily composed.
"Turns out that weird data breach notification email from Amazon *is* real ..." writes Graham Cluley, a cybersecurity expert and blogger, on Twitter. "Amazing lack of detail, and plenty of reasons why people felt it could be dodgy."
Executive Editor Mathew Schwartz contributed to this story.