Amazon Reports a Data Breach Just Before Black Friday
Multi-billion-dollar technology companies got so big not just because they presented an innovative product and did a good job of marketing it. In the online world, users need to feel safe when they're taking advantage of a particular service, which is why big internet ventures invest millions in cybersecurity. People often assume that thanks to all this money, these giants can never lose our data. Every now and again, one of them experiences an incident which illustrates how wrong this assumption is. Yesterday it was Amazon's turn.
Amazon made a boo-boo
It's Black Friday tomorrow, and we can only imagine that the world's biggest online retailer's offices are bustling as it prepares itself for the most active shopping day of the year. We've no idea whether this has anything to do with it, but apparently, an Amazon employee that was tasked with handling some users' data made an embarrassing mistake and left some information exposed.
Typically, an Amazon account contains quite a lot of sensitive data like shopping history, billing and shipping addresses, credit card details, etc. Learning that some of it might have been leaked is not a fun experience.
No need to panic (for now)
Thankfully, the compromised data wasn't that sensitive. Some people's email addresses were exposed, and a portion of the affected users also had their names leaked. Currently, there are no reports of anything more valuable ending up in the wrong hands.
Amazon is adamant that the issue is now fixed and that there's no immediate need for users to change their passwords. But is this really the case?
Well, that depends largely on what your Amazon password is. If it's weak, you should definitely think about changing it, especially if you're using it to protect more than one account. Indeed, Amazon hasn't put it in any immediate danger, but other vendors might, and then the consequences could be quite severe.
That is one phishy-looking email
Amazon certainly got a lot of heat from the information security community yesterday. It wasn't for the technical error that exposed users' data, though. It was for the emails the online retailer sent to the affected customers. Here is what one of the messages looked like:
— Srinivas KC (@srinivaskc) November 21, 2018
Small and medium-sized business owners reading this can do a little experiment. Take the email above and show it to your employees. If all of them say that it looks suspicious, you're fine. If some of them reckon that there's nothing wrong with it, you might want to think about organizing an anti-phishing training program.
It's amazing how such a big company managed to get it so wrong. Take the link at the end as an example. A link in an email is a bit of a no-no at the best of times. Amazon not only included it in its breach notification, but it also posted it with http:// rather than https://. Then there's the complete lack of any concrete information about the incident.
Who was responsible? How long was the data exposed for? How many people were affected? What did Amazon do to secure the data? What did it do to ensure that this won't happen again?
These questions, as valid as they are, remain unanswered by the rather short email. When reporters tried to get some more information, Amazon remained just as tight-lipped which means that some people are now weighing the chances of the online retailer actually hiding something.
Amazon's response to the whole ordeal was less than perfect, it must be said, and it's not like the regulators seem to be in a hurry to do something about it, which does raise some questions around the efficacy of GDPR and the rest of the new data security rules and regulations.
All in all, plenty of conclusions can be drawn from what appears to be a relatively small, low-impact incident. Sadly, not many of them make us feel particularly optimistic about the future.