Amazon says customer data exposed but provides few details as holiday shopping heats up

Amazon did not say how many of its users had been affected or where and how e-mails had been exposed. It only said that its website and other systems had not been breached.
Amazon did not say how many of its users had been affected or where and how e-mails had been exposed. It only said that its website and other systems had not been breached.PHOTO: REUTERS

WASHINGTON (WASHINGTON POST) - Amazon.com informed some customers on Wednesday (Nov 21) that their names and e-mail addresses had been "inadvertently disclosed" as a result of a "technical error", but declined to provide more details about the security incident.

The e-commerce giant confirmed it sent the messages, adding in a subsequent statement that it had "fixed the issue".

Amazon did not say how many of its users had been affected or where and how e-mails had been exposed. It only said that its website and other systems had not been breached.

Amazon's limited disclosure comes days before the Black Friday and Cyber Monday holiday shopping frenzies, ahead of a season when holiday e-commerce sales are estimated to total more than US$123 billion (S$169 billlion), according to eMarketer.

Its handling of the security lapse drew sharp criticism on social media. Among its own sellers, some took to the company's forums to complain about Amazon's tight-lipped handling of the matter.

"Who knows what they're not disclosing about this," wrote one user. "Hopefully nothing..."

Others questioned Amazon after it told users there's "no need for you to change your password or take any other action", fearing that hackers still might try to use their names and e-mail addresses for nefarious purposes, including phishing scams.

It's not the first time Amazon has run into security troubles. In October, the tech giant reportedly fired an employee who inappropriately shared customers' e-mails with a third-party vendor. The security lapse, which Amazon said it was working with law enforcement to investigate, similarly resulted in messages to customers indicating their e-mail addresses had been exposed. Amazon did not reveal how many people were affected.

The latest incident, however, could embolden those who would like to see tech giants and other businesses disclose more information about security incidents to their customers. Over the past year, tech giants such as Facebook and Google have experienced more serious mishaps affecting their users' personal data.

The Securities and Exchange Commission in April announced that Yahoo would pay a US$35 million penalty to settle charges that it misled investors by failing to disclose one of the world's largest data breaches in which hackers stole personal data linked to hundreds of millions of user accounts.

Yahoo learned of the intrusion in 2014, but the company did not reveal the incident until 2016, when it was in the process of being acquired by Verizon Communications.

But currently, the federal government has no law requiring companies to tell consumers when their information has been stolen or compromised.

Most states do have rules, but they generally cover only incidents in which sensitive personal information, like driver's licence numbers or credit card information, is taken. That includes Amazon's home state of Washington, where companies must inform residents of data breaches if the mishap includes the unauthorised disclosure of names along with information like Social Security numbers.

It is not clear when Amazon's technical error occurred or how long customer data might have been exposed. Amazon also did not detail the nature of the glitch or its fix.

Some analysts estimate that Amazon now has nearly 100 million subscribers paying for Amazon Prime. But the universe of consumers who use the site is much larger.