Amazon Leaks Customer Data – And Belly Flops On The Response

Thursday night, I packed up my things to leave the office. On the way out the door, I turned back to my CEO (Brandon McCrillis) and said “oh <expletive deleted>, my Amazon account got hacked!” I said that after seeing an email on my phone updating me about the status of an order… an order I didn’t place being sent to a name and address I didn’t recognize.

Obviously I worry about stuff like this as a security professional. I mean, I’d like to think that at the first sign of cyber badness everyone drops everything and handles the issue. Unfortunately, I know this isn’t true. That said, I did drop everything, turned around back into the office, unpacked my laptop and began investigating.

My first stop was the Amazon website. Hmm… that’s interesting, I don’t see the order. Was it archived so it wouldn’t show on the main order page? Nope. Brandon said “did you just fall for a phish?” I checked the email and it’s signed. All the links point to Amazon. Nope, I don’t think I was phished. I had another Amazon account years ago. Is it still active? Nope, that’s not it either.

While investigating, I did see that an item I ordered for the office months ago would be shipping on Monday. The email from Amazon did mention that a backordered item was shipping earlier than expected. Just not my item (and not to me). In any case, I updated the password on my account (because of course I did) – and then?

Then I did what any self-respecting cybersecurity professional would do and alerted a friendly reporter of a data breach. Now you might be thinking “that’s premature.” But it wasn’t. I received someone else’s order details and shipping address. It goes without saying that someone else probably got my information. But why does that matter?

“It’s just order information”

But it’s not “just” order information. Here’s a few reasons why.

First, I ship a lot of gear to customer sites through my Amazon account. Amazon ships quickly and consistently (and Prime shipping is awesome). I’ll be changing the way I ship as a result. I can’t have an Amazon notification issue (one that they only owned up to after a press inquiry and still haven’t notified those customers of) impact Rendition customer confidentiality. In the wrong situation, this sort of thing could open Rendition up to significant liability.

Second, you probably don’t want a stranger having your home address. Sure, it’s a moonshot, but it’s possible that a stalker might receive the address of someone who has taken pains to hide their address.

Finally, Amazon ships a lot of (weird) stuff. Some items could easily disclose the sexual orientation or sexual proclivities or a customer. Alternatively, it could show a gift that didn’t go to a spouse (potentially indicating adultery). There are countless other scenarios that could occur. Before you judge someone else, just ask if you’d be cool with your entire history being public. If you’re not, then this should concern you.

The Response (or lack thereof)

It’s been several days since Amazon likely breached my information (and definitely breached that of some unknown number of customers). I haven’t received a notification from Amazon letting me know if I’m one of the impacted parties or not. Amazon hasn’t been very forthcoming about the scope of the data breach either (and of course they aren’t calling it that).

As far as I can tell, Amazon only even acknowledged the mistake because Zack Whittaker wrote an article on it. That pretty much forced Amazon’s hand to respond. The response may have been lackluster, but it was actually a response.

Suggested ways to improve the response

Sooner or later, we’ll all have a data breach (perhaps caused by a “technical error”). Organizations should be ready to respond to these issues in a way that is transparent to their customer base. I recommend the following actions (obviously I am not a lawyer, talk to yours first):

  1. Identify the size of the impacted population. If the full size is unknown, be clear about what you know now and when to expect an update.
  2. Tell customers what you know now, what you don’t know yet, and what you simply won’t know (e.g. because you just don’t have the logs).
  3. Be clear about the type of data compromised.
  4. Communicate with victims in a timely fashion. I’m writing this almost 72 hours after Amazon sent me someone else’s home address and order details. I have a reasonable expectation they breached my personal information as well. So far? Silence.
  5. Don’t downplay the potential damage of the breach.

It should go without saying, but preparing your communication plan before a breach is a winning move. Plan for the inevitable. Better to have a plan you never use than to need a plan you never created.