This morning I received a number of messages from Amazon customers who had received an email purporting to come from the company. The emails warned that their email addresses and names had been leaked.
The email read as follows:
Hello,
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely,
Customer Service
http://Amazon.com
Was the email really from Amazon?
Most of the people who forwarded it to me thought the message was suspicious. Why wouldn’t Amazon refer to them by name rather than just saying “Hello”? Why was there a link to the http (rather than https) version of Amazon’s website? How could they possibly issue an advisory like this about a security breach without offering more information about what had happened and over what time period, and where folks could find out more? Why was there no link to some kind of confirmation on Amazon’s own website?
It all seemed very odd. I publicly wondered whether perhaps scammers had made a mistake by forgetting to include a link to a phishing site.
Well, as The Register found out, despite appearances the email did *really* come from Amazon.
All Amazon’s PR team is prepared to say, however, is an utterly detail-free repetition of the content of the email:
“We have fixed the issue and informed customers who may have been impacted.”
So we don’t know what happened, we can’t assess how serious it is, we can’t tell you how many customers are affected, or why Amazon sent out such a suspicious-looking email in the first place.
Unsuprisingly, customers aren’t impressed.
I received the same email from @amazon. It contained zero details and pathetic assurances. I am a loyal prime customer and want answers. So far their response is underwhelming. #amazon #databreach https://t.co/34IulsJk98
— April Sharp (she/her) (@SharpApril) November 21, 2018
What aren’t you telling us Amazon, and why?
Sounds like a criminal is working on the inside, if you ask me.
Is the ICO aware of this and if so is it something they should be investigating? If they aren't aware, then Amazon are in double breach of the Data Protection Act by not informing the ICO.
Sounds like a GDPR breach if two items of PII are leaked.
An utter shambles for Amazon PR. The reputational damage is huge, compared to being more open.
But on the legals, they have done nothing wrong yet:
(1) Amazon only has to inform data subjects and a regulator if there's "a high risk to the rights and freedoms of natural persons".
(2) Even if Amazon need to inform properly, with more detail so it's GDPR-compliant, they don't have to do that yet. The requirements are: without undue delay (to data subjects), or 72 hours plus as much extra time as they can justify taking (to the regulator).
(3) It would probably be the Irish Regulator not the UK ICO
Names and emails were exposed. That's it. This isn't really a big deal… surely not as big a deal the tin foil hat author makes it out to be
Yes Jeff, a GDPR breach is not a big deal.
</sarcasm>
A serious GDPR breach can incur a fine of up to 6% of Amazon's global group of companies. In 2017, that was US$177.866 billion. Do the maths.