Scathing report details data security negligence at Amazon

Something’s wrong at Amazon

The report, prepared by Wired and The Center for Investigative Reporting, is based on internal documents and interviews with current and former employees revealing how Amazon ignored numerous security issues.

Here are just a few of the problems detailed in the extensive report:

• Untraceable data: Amazon information security teams had no way of knowing who had copied data internally and how much they had taken. This leaves Amazon’s mountains of data vulnerable to any internal bad actor who could steal the data and sell it or even just accidentally lose it with no malicious intent.
• Open access to data: To drive new ways to take advantage of data, Amazon gave practically everyone inside the company access to user and customer data. This includes more than just business and marketing teams. Even customer support specialists could review the purchase habits of practically any account, which meant that many were tracking their exes’ purchases or the private purchases of celebrities.
• Third-party data access: Much like during the Cambridge Analytics scandal, it was extraordinarily easy for some third-party partners to access much of Amazon’s user and customer data. They then extracted this data and used it as they saw fit, often violating local laws to give their clients unfair advantages.
• Dismissive culture: Throughout the report, numerous sources indicate that employees had raised the issue of data security and privacy many times, but that most of their concerns were ignored.

These are just some of the claims being made about data security and privacy at Amazon. But have any of these materialized as credible threats to Amazon vendors and consumers? As it turns out, yes.

How Amazon’s user data was abused

• Buyer account abuses: On numerous occasions, customer support specialists were found to be accessing the purchasing data of friends, family members, and celebrities who they had never had to help as part of their jobs.
• Bribes for unfair business practices: Over several years, an Amazon vendor by the name of Krasr (the report identifies him as Mohamed Multhazim Akbar Ali) paid out $160,000 USD in bribes to Amazon employees. He used these contacts to gain privileged information about competing retailers, replace their orders with his own, and make their online businesses untenable. Separate from the bribery issue is the fact that many of the permissions used to perform these scams shouldn’t have existed in the first place. Alternatively, such permissions should have been carefully monitored.
• Review manipulation: Numerous companies were formed whose business model revolved around helping vendors abuse troves of Amazon data to manipulate reviews. Some companies helped find reviewers’ email addresses and contact them to convince them to change their reviews. Others would take a more direct approach, using data and insider access to break into users’ accounts and remove negative reviews themselves. All of these are examples of insider threats that became possible precisely because of Amazon’s approach to user data.

Adding to the mountain of problems for Amazon (and its users) is the slow rate at which changes can happen at such a large company. Furthermore, it’s not yet clear how Amazon will resolve its troubles with the EU’s GDPR, which can exact millions of dollars in fines for poor data practices.

What can you do?

Because it’s an online retailer, users need to put a lot of trust in Amazon. Not only does your data reveal your interests and needs, the online marketplace will also have your payment card details stored. With the information revealed by this report, it’s up to you to decide if you want to continue shopping from or selling on a platform where you may face these types of risks.

If you want to stay with Amazon, here are some tips:

• Watch out for Amazon scams: Your data is at risk of falling into the hands of scammers who can email you with scammy messages. Stay aware.
• Watch your bank statements: If your data ever does get compromised, make sure you’re ready to detect potential abuses by tracking your bank activity.