28 Nov Mighty Amazon Cut Down in Black Friday Data Breach
There are many myths surrounding the creation and naming of Black Friday, that yearly American imported shopping bonanza, which seemingly includes almost anything these days. Including, the dark web where it was reported that cyber criminal gangs were selling stolen credit card details at a limited discount.
One such explanation for the name is that it is this time of year, with the build up to Christmas, that retailers go from a negative profit level to a positive one. And one can see why considering the levels of consumerism which takes place over the space of a week.
You can therefore imagine that it is the utmost importance to any retailer, big or small, that this crucial event run as smoothly as possible. Something which Amazon may look back on with unfavourably, as they were subject to a reported data breach, just two days before the main event (Wednesday 21st November).
Our first indication of this event was the mass email which Amazon distributed to its customer base, warning that a technical error on their website had meant that the personal data of its customers had been widely accessible. We later discovered the reported personal data items to be email addresses and customer names.
Currently, the exact demographic or geographical location of those affected remains unknown, despite experts speculating that it may involve customers in the UK, US and India based on the recipients of the warning email.
The ICO Shrugs its Shoulders
Naturally as a result, there is much commentary over how this might affect Amazon, in particular with respect to its obligations under the GDPR, which requires the data controller to report data breaches to the supervisory authority within 72 hours or discovering the breach, where the breach could risk the freedoms and rights of a natural person.
When the ICO (the UK Supervisory Authority) was questioned about the situation by an IT security news outlet, they received a canned response.
“Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and co-operate with other supervisory authorities where required.”
From the nature of the incident so far described by Amazon themselves, there is a data breach by definition under the GDPR, regardless of whether it was malicious or an internal error. Whether the personal data leaked could risk the rights and freedoms of natural persons is for both Amazon and the European Supervisory Authorities to determine. Watch this space.
[You may also be curious to read “What GDPR lessons can we learn from the Uber data breach“]
This however does not exonerate it from embarrassment at home, where the conditions for disclosing of a data breach event is much more rigid. Headquartered in Washington, Amazon is required by law to disclose details of a data breach to the state Attorney General, where it involves 500 or more state residents.
When Phishing is Not Phishing
Comically, it would seem that Amazon were much faster at pushing the customer notification email button than informing their own staff. The Register reports that some of its readers queried the notification email with customer support, worried that it was yet another Amazon themed phishing attempt. And despite it being genuine, customer support confirmed that it did not originate from Amazon.
It would seem there is a lot to be desired at Amazon, when it comes to security and internal communication.
Ultimately, it would seem that Amazon are seeking to play down the issue by admitting to only email addresses and names being at risk, presumably they believe that such personal information is far less important in the eyes of the public.
Those in the know, know better. Particularly in the case of Amazon, knowing the username or email address completes half of the authentication process; and can lead to brute force password attacks or further phishing attacks in order to extract the password from the user themselves.
Amazon should be recommending the following steps:
- – Be additionally cautious of any emails purporting to be from Amazon, requiring you to sign into your accounts.
- – Ensure you are using a sufficiently strong password for your Amazon account.
- – Where possible, use multi-factor authentication to further strengthen the authentication process.