Early on November 21, 2018, I along with an undetermined number of other Amazon customers received the following email from Amazon:
This breach notification lacked most of the information expected to be included in a breach notification from any reputable company, including:
- How was the information disclosed?
- For how long was the information accessible?
- How many people accessed the information while it was accessible?
- How many customers were impacted by the breach?
- What steps have been taken to ensure that a similar breach does not occur in the future?
- Has the breach been reported to authorities as required by law?
In addition, the breach provided no instructions for how customers could ask Amazon for more information. And, as if all this weren’t dodgy enough, the URL at the end of the email used “http:” instead of “https:”, omitted the “www.” prefix from the Amazon URL, and capitalized “Amazon” in the URL. All of these details are inconsistent with other emails that Amazon sends out.
The breach notification was so poor that many Amazon customers were suspected that it was bogus. Therefore, they and many journalists reached out to Amazon asking whether it was legit. Amazon responded: yes, it was a legitimate email; yes, there was a security breach; no, we are not going to provide you with any more information about it than we already have.
A frenzy erupted on social media, both about the fact that the notification email was so terrible, and about the fact that Amazon was refusing to provide any additional details about the breach.
I was one of the Amazon customers who reached out to Amazon about the breach. Here’s the end of my half-hour chat with them:
08:57 AM PST Jafet S: I understand and I can assure you that we are working to solve this and get to the root to see what happend but I can assure you Amazon security is very safe and serious, your information is safe
08:58 AM PST Jonathan Kamens: “I understand and I can assure you that we are working to solve this and get to the root to see what happend”
Does that mean you are going to provide customers with more information about this breach at some point in the future?
08:59 AM PST Jafet S: In this case what we can do is I can file a form here on my end to get a specialist team take a look at your account and that you request more information
09:00 AM PST Jafet S: in this case the specialist team would be the Security team
09:01 AM PST Jonathan Kamens: Yes, if it will take a referral to the security team to get more information about what happened, then I would like a referral to the security team.
09:02 AM PST Jonathan Kamens: But, again, I don’t understand why this is necessary. I don’t understand why Amazon isn’t providing more information to everyone who was affected. I don’t understand why you aren’t being responsive to and honest with the media about this incident.
09:03 AM PST Jafet S: I understand your concern and I will get this feed back sent, I can assure you that you are not the only one with this questions and they will get responded soon. Allow me one moment to fill the form on my end one second please
09:07 AM PST Jafet S: thank you for your time
09:08 AM PST Jafet S: I sent your request to the security team! so this can get solved, but I can assure you we take all security-related matters very seriously, and your account security is our top priority. We have polices and security measures in place to ensure that your personal information remains secure.
09:09 AM PST Jonathan Kamens: Thank you.
It is now a week later, and I still haven’t heard back from anyone at Amazon about the details or scope of this breach.
I have therefore decided to boycott Amazon until they disclose details about this breach and confirm that it has been reported to the legally mandated authorities. I encourage others to do the same. Yes, boycotting Amazon will be inconvenient, but it’s important. Companies like Amazon need to understand that they can’t get away with hiding details about security breaches, and the only way to send that message is by hitting them in the pocketbook.
You can read more about this breach at:
https://techcrunch.com/2018/11/21/amazon-admits-it-exposed-customer-email-addresses-doubles-down-on-secrecy/
https://www.theguardian.com/technology/2018/nov/21/amazon-hit-with-major-data-breach-days-before-black-friday
https://twitter.com/search?q=amazon%20breach
UPDATE ON NOVEMBER 29, 2018: I once again contacted Amazon and asked for more information about this breach. They said they are “still researching this with the security team who are doing their best to know what happened,” and were not able to provide me with any additional information.
UPDATE ON DECEMBER 28, 2018: I contacted Amazon again this morning and asked for more information again. Once again, no additional information was provided. “We are already working on this since we do not have further updates regarding this but this will get fixed [sic] very soon… I can completely understand your concern completely [sic] but be assured it will get fixed soon.”