Amazon collects quite a bit of data on its customers, which include people and businesses. Some of this data originates in direct relationships with consumers. In others, it runs through Amazon Web Services (AWS). Because so many companies rely on AWS to run their digital operations, it’s likely you’re doing business in Amazon in ways you’re nto fully aware of.
Amazon strives for security – and for the most part, they’ve done a good job at protecting customer data. But they have had some breaches over the years, and additional customers have been exposed due to faulty configurations and other issues with AWS. These aren’t necessarily Amazon’s fault, but we’ll profile them at the end of this article.
Amazon Data Breach Timeline
November 2018 – Customer Names and Email Addresses Exposed
Just two days before Black Friday in November 2018, Amazon announced a major data breach involving customer names and email addresses. The company stated that it reached out to impacted users but didn’t disclose the extent of the breach, which it called a technical issue that led to the accidental posting of customers’ private information on the website.
September 2019 – Amazon Japan Personal Data and User Order Histories Exposed
In late-September 2019, Amazon Japan users were suddenly seeing the order histories of other shoppers. Along with purchase details, shopper names and delivery addresses were also viewable.
It isn’t entirely clear how many users of the Japanese Amazon site were impacted by the issue. However, within days of the incident making headlines, Amazon announced that it resolved the problem and had contacted customers who reached out about the issue.
January 2020 – Employees Share Customer Contact Info with Third Party
A group of employees was ultimately fired after they were caught sharing sensitive customer data with a third party. A number of customer email addresses and phone numbers were released, though it isn’t clear precisely how many.
August 2020 – Amazon Alexa Bug Exposes Voice History, Other Data of Users
A flaw in smart devices using Alexa made it possible for hackers to access sensitive information and other data from the devices. Hackers could install or delete apps, explore voice histories, and more, all without the knowledge of the device owner.
There are hundreds of millions of Alexa-enabled devices worldwide, so the number of people at risk easily qualifies as staggering. To use the exploit, a malicious Amazon link had to be sent to the device user. If the user clicked the link, the attacker could gain enough access to steal a token, giving them the ability to remove or add apps to the device.
If a malicious app was installed with an invocation phrase that matched a commonly used, safe application, speaking that phrase would then trigger malicious software, often without the device owner’s knowledge. Depending on how that software was designed, it could accomplish a wide range of tasks.
Additionally, attackers may have had direct access to voice histories in the device. Considering that certain apps interact with sensitive conversation-based data, this left users incredibly vulnerable. Further, certain personal account information was also accessible to attackers. This could include names, addresses, and similar data.
Amazon did address the vulnerability. It isn’t clear how many were targeted by malicious actors using this vulnerability
October 2020 – Customer Email Address Leaked by Malicious Employees
For the second time in 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties voluntarily.
The employees responsible for the insider breach were fired. While Amazon did directly email any customers that may have had their email addresses distributed to a third party, it isn’t clear precisely how many customers were impacted by the incident.
It’s a little troubling to see two incidents of this nature happening in one year. It’s unclear if they were connected, and Amazon has not been forthcoming with greater details about these incidents.
Amazon Web Services Breaches
Not all Amazon-related breaches involved hacking. Instead, a significant number occurred due to Amazon Web Services (AWS) customers failing to correctly set up their Amazon cloud servers, firewalls, or web applications.
For example, improperly configured S3 buckets can leave sensitive data exposed to the public. When this occurs, it doesn’t require anything more than the correct server address to access the data. There isn’t any hacking, viruses, or similar tactics involved.
While Amazon isn’t necessarily to blame for the improper setup of S3 buckets, as that responsibility technically falls in the hands of the client company, the involvement of AWS services does create a connection to the tech giant. Here is a look at some of the incidents involving AWS services that weren’t necessarily the fault of Amazon.
June 2017 – Personal Data on 198 Million Voters Exposed
Deep Root Analytics – a data analytics firm that the Republican National Committee hired to gather information on American voters – left an S3 bucket containing records on approximately 198 million American voters unsecured. Along with personal information like names, addresses, birth dates, and phone numbers, the server also held voter profiling data, such as party affiliation.
The information was on an Amazon server but was not password protected. It was left accessible to the public for around two weeks, though it isn’t clear whether the data was stolen by a malicious actor.
July 2019 – Sensitive Data on Over 100 Million Capital One Customers Revealed
Capital One – an AWS customer – revealed in July 2019 that its server was hacked by a former Amazon employee. In total, over 100 million customers were impacted, exposing sensitive personal information like Social Security Numbers, bank account numbers, credit card transaction records, credit scores, and more.
The person behind the hack was reportedly a woman who previously worked as an AWS systems engineer. Capital One blamed a “firewall misconfiguration” for the breach. Amazon denied any responsibility, stating that their systems weren’t at fault.
Still, the incident put an uncomfortable spotlight on AWS, and not all were convinced that the tech giant was free from all responsibility.
February 2020 – Millions of Shoppers Data Exposed
A large, unsecured AWS database was discovered in February 2020 that held sensitive data on millions of European shoppers, including records from Amazon, PayPal, eBay, Shopify, and Stripe. Along with names, addresses, emails, and phone numbers, records included payment histories, order histories, invoice links, and partial credit card numbers.
There were also other kinds of data in the database. For example, an Amazon Marketplace Web Services (MWS) authentication token was in the mix, as well as an AWS access key ID and some MWS queries.
It appears that the database belonged to a company that was conducting a value-added tax (VAT) analysis. Not only was the core incident concerning, but it also showcased how much data can end up in the hands of third parties, often without the shopper’s knowledge.