[BreachExchange] Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

Fri Nov 23 10:04:51 EST 2018

https://www.theregister.co.uk/2018/11/21/amazon_data_breach/

H/T to InfoWarrior for sharing the news - thank you!

*Updated* Amazon has suffered a data snafu just days before Black Friday –
and the company was tight-lipped about whether it had notified the British
data protection authorities.

Multiple *Register* readers forwarded us emails sent from Amazon's UK
tentacle informing them that the online sales site had "inadvertently
disclosed [their] name and email address due to a technical error".

The email from Amazon, which included an HTTP link to its website at the
end, read:

Hello,

We’re contacting you to let you know that our website inadvertently
disclosed your name and email address due to a technical error. The issue
has been fixed. This is not a result of anything you have done, and there
is no need for you to change your password or take any other action.

Sincerely, Customer Service
[image: Amazon breach email, as seen by a reader]

Amazon's UK press office acknowledged that the email was genuine, saying
only: "We have fixed the issue and informed customers who may have been
impacted."

The company did not answer our questions as to how many customers had been
affected, whether it had informed the Information Commissioner's Office,
what the cause of the breach was or how or when it had been spotted.

The ICO acknowledged our phone call seeking comment but has yet to get back
to us.

Meanwhile, out in the badlands of Twitter, people from across the world
were wondering whether they'd been spammed or whether the email was genuine:
View image on Twitter
<https://twitter.com/ReanimationXP/status/1065124107035889664/photo/1>
[image: View image on Twitter]
<https://twitter.com/ReanimationXP/status/1065124107035889664/photo/1>

<https://twitter.com/ReanimationXP>
Drew Alden - Looking for Work!@ReanimationXP
<https://twitter.com/ReanimationXP>
<https://twitter.com/ReanimationXP/status/1065124107035889664>

When are companies like @Amazon <https://twitter.com/amazon> going to
realize how to write a proper breach letter? Once again this sounds scammy
as shit and has a completely unnecessary link at the bottom.
13 <https://twitter.com/intent/like?tweet_id=1065124107035889664>
12:05 AM - Nov 21, 2018
<https://twitter.com/ReanimationXP/status/1065124107035889664>

See Drew Alden - Looking for Work!'s other Tweets
<https://twitter.com/ReanimationXP>
Twitter Ads info and privacy <https://support.twitter.com/articles/20175256>

Alden gives his location in his Twitter profile as Phoenix, Arizona, which
is in the US. Others tweeting about it include folk in the Netherlands and
what appears to be South Korea. ®
Update @ 1630 GMT

After we repeatedly poked Amazon’s UK press office with a pointy stick,
they eventually agreed to say that this is not a breach in the sense of a
hack while maintaining that the snafu is an inadvertent technical error and
that they emailed customers from an abundance of caution.

The ICO eventually got round to telling us that it’s shrugging its
shoulders.

“Under the GDPR,” said the data protection regulator, “organisations must
assess if a breach should be reported to the ICO, or to the equivalent
supervisory body if they are not based in the UK. It is always the
company’s responsibility to identify when UK citizens have been affected as
part of a data breach and take steps to reduce any harm to consumers. The
ICO will however continue to monitor the situation and cooperate with other
supervisory authorities where required.”

Meanwhile, Amazon’s customer service department initially thought the
firm’s own notification email to affected customers was a phishing attempt.
A suspicious reader, wondering whether the shonky-looking email was
legitimate, sent it to Amazon customer services asking whether it was real,
and got the response: “The e-mail you received wasn't from Amazon.co.uk,
and we're investigating the situation … We can’t tell how phishers came to
target your e-mail address.”
[image: Amazon customer service thinks Amazon's own email is a phishing
message] <https://regmedia.co.uk/2018/11/21/amazon_email_phishing.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/85bc02b1/attachment.html>