Blames ‘technical error’ for disclosure of customer names and email address, as it fixes flaw
Amazon has experienced an embarrassing data lapse as it heads into one of its busiest periods on Black Friday.
The e-commerce giant emailed customers on Wednesday to tell them their names and email addresses had been leaked on its website, due to a “technical error.
This time last year “critical data” belonging to the US army was discovered on a virtual image of a hard disk left on an AWS server. To make matters even worse, that data was not even password protected.
At this time it is unclear how many Amazon users have been affected, as Amazon remains tight-lipped about the data breach.
BetaNews reported that Amazon had sent out an email saying the company has, “…inadvertently disclosed your name and email address due to a technical error.”
“The issue has been fixed,” the email states. “This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
Amazon issued an extremely terse statement to BetaNews on the subject.
“We have fixed the issue and informed customers who may have been impacted,” Amazon’s PR department reportedly said.
It seems that affected users may not need to reset their passwords, but the exposed information could still present risks for customers from phishing attacks.
The fact that this information could be used for criminal purposes was picked up by security experts.
“The recent incident, which caused the exposure of a large amount of client emails from a popular online shop, is worrying,” said Tatyana Sidorina, Security Researcher at Kaspersky Lab. “Emails may seem a small matter compared to the theft of bank details or other data breaches, but this sort of information is in fact precious for scammers.”
“It’s important to understand that any personal data can be used by cybercriminals to target their victims,” Sidorina added. “For example, if criminals compromise a company and get hold of their customer’s email addresses, they can create an automatized spam mailout that mimics an authentic email, and entices users to follow a malicious link or download a malicious file onto their devices.”
“Now is the time to be extra careful,” said Sidorina. “The world is heading into the busiest shopping season of the year, starting with Black Friday, and people are hurrying to bag fast-disappearing exclusive deals from the tons of e-mails in their mailbox. It’s becoming quite common for people to thoughtlessly compromise their bank accounts by following a phishing link and entering their bank credentials.”
Another expert said that it has been a difficult year for retailers with data breaches.
“Major retailers and brands have been taking a bashing from cyber criminals this year, and Amazon is the white whale when it comes to e-commerce,” said Richard Walters, CTO of CensorNet.
“While no official number has been put to the number of customers affected, following closely behind Vision Direct, British Airways, Dixons Carphone to name just a few – this could well be the biggest yet,” he added. “If the reports are correct, the information leaked (names and email addresses) is less significant than some of these other breaches, which saw card details leaked. However, it would be wrong to assume that this makes the breach inconsequential.”
Meanwhile another expert questions whether the Amazon incident is actually a breach at all.
“I wouldn’t hurry with premature conclusions until all technical details of the incident become clear,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge. “Based on the information currently available, it is technically incorrect to call this incident a ‘data breach’”.
“This rather looks like an inadvertent programming error that made some details of Amazon’s profiles publicly available to random people,” he added. “Unfortunately, even such companies as Amazon are not immune from such omissions. Our IT systems become more convoluted and intricate every day, inevitably causing more human errors. Amazon’s reaction seems to be quite prompt, however an official statement would certainly be helpful to prevent any speculation and unnecessary exaggeration of the incident and its scope.”
Think you know all about Amazon? Try our quiz!