Amazon.com informed some customers on Wednesday that their names and email addresses had been “inadvertently disclosed” as a result of a “technical error,” but declined to provide more details about the security incident.
The e-commerce giant confirmed it sent the messages, adding in a subsequent statement it had “fixed the issue.” Amazon did not say how many of its users had been affected or where and how emails had been exposed. It only said that its website and other systems had not been breached.
(Amazon chief executive Jeffrey P. Bezos owns The Washington Post.)
Amazon’s limited disclosure comes days before the Black Friday and Cyber Monday holiday shopping frenzies, ahead of a season when holiday e-commerce sales estimated to total more than $123 billion, according to eMarketer. Its handling of the security lapse drew sharp criticism on social media. Among its own sellers, some took to the company’s forums to complain about Amazon’s tight-lipped handling of the matter. “Who knows what they’re not disclosing about this,” wrote one user. “Hopefully nothing. ..."
Others questioned Amazon after it told users there’s “no need for you to change your password or take any other action,” fearing that hackers still might try to use their names and email addresses for nefarious purposes, including phishing scams.
It’s not the first time Amazon has run into security troubles. In October, the tech giant reportedly fired an employee who inappropriately shared customers' emails with a third-party seller. The security lapse, which Amazon said it was working with law enforcement to investigate, similarly resulted in messages to customers indicating their email addresses had been exposed.
The latest incident, however, could embolden those who would like to see tech giants and other businesses disclose more information about security incidents to their customers. Over the past year, tech giants such as Facebook and Google have experienced more serious mishaps affecting their users’ personal data.
The Securities and Exchange Commission in April announced Yahoo would pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data linked to hundreds of millions of user accounts. Yahoo learned of the intrusion in 2014, but the company did not reveal the incident until 2016 when it was in the process of being acquired by Verizon Communications.
But currently, the federal government has no law requiring companies to tell consumers when their information has been stolen or compromised. Most states do have rules, but they generally only cover incidents in which sensitive personal information, like driver’s license numbers or credit-card information, is taken. That includes Amazon’s home state of Washington, where companies must inform residents of data breaches if the mishap includes the unauthorized disclosure of names along with information like Social Security numbers.
It is not clear when Amazon’s technical error occurred or how long customer data might have been exposed. Amazon also did not detail the nature of the glitch or its fix.
Some analysts estimate that Amazon now has nearly 100 million subscribers paying for Amazon Prime. But the universe of consumers who use the site is much larger.
In October, Amazon notified some customers that an employee had shared their email addresses with a third-party vendor in violation of the company’s policies. The employee was fired by the company. In that incident, Amazon also did not reveal how many people were affected.