Last week I spotted a tweet from UK tech reviewer Tomi Adebayo, AKA Gadgets Boy. He had just been contacted by Amazon support to be informed that he has had personal data leaked by an Amazon employee.
Remarkably, for Amazon this was case closed. But Tomi, understandably, has more questions.
Today, I saw another tweet saying the very same thing.
I share this guy’s concern. It’s not ok for Amazon to have a data leak like this and just call it case closed. These are two separate cases so naturally, I turned to Google. Turns out I missed this story before because this is not technically news at all.
Amazon Has Regular Data Leaks
Back in January of this year, Silicon Republic reported that Amazon was firing staff for the leaking of customer personal data to third parties. The situation would appear to that like the two cases I opened with and several other reports online over the past twelve or more months.
Customers are contacted and told that Amazon is “writing to let you know that your e-mail address was disclosed by an Amazon employee to a third-party in violation of our policies. As a result, we have fired the employee, referred them to law enforcement, and are supporting law enforcement criminal prosecution”.
DPC Response To Amazon Leaks
I reached out to the Data Protection Commission of Ireland to ask what this means for Irish consumers. The DPC said, “Amazon’s main establishment in the EU is in Luxembourg and under the one stop shop mechanism in the GDPR they are regulated by the Luxembourg data protection authority, the CNPD. The DPC does not receive breach notifications from Amazon”. Under the advice of the DPC I’ve reached out to the CNPD to ask how they are reacting to this news and if any action is being taken against Amazon for what seems to be a long running data protection issue.
Amazon Response To Leaks
In addition to the regulators, I’ve reached out to Amazon themselves to clarification on the situation. A spokesperson stated that “the individuals responsible for this incident have been fired. We have referred the bad actors to law enforcement and are supporting their criminal prosecution”. Amazon is notifying customers that their names and email addresses have been shared with third parties. This has occurred despite the systems Amazon has put in place to limit access. The response from Amazon did also state that the relevant regulatory agencies, which I’m assuming is the CNPD. I’ll be confirming this shortly.
Amazon also confirmed that no other customer information was disclosed, suggesting credit card and delivery information, along with passwords, have not been compromised.
What Does This Mean For You?
If you’ve received a similar communication from Amazon, the most important thing is to keep an eye out for phishing emails. Your data has been leaked and now someone has your email and knows you’re an Amazon customer. You could be targeted with emails trying to get you to update a password or payments details in an attempt to scam you. Most likely, nothing bad has happened yet but you must remain vigilant.
It’s all a bit odd, isn’t it? The data breaches seem to be a fact of life for Amazon. It’s extremely unusual. I’ll be updating this article once I hear back from the CNPD. If you’re interested in some other GDPR news, check out the latest on my attempt to leave the Catholic church using GDPR.