[BreachExchange] Amazon fires employee for sharing customers' email addresses

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 22:07:23 EDT 2018


In an email sent to customers on Friday, October 5, Amazon said it
fired an employee for sharing customers' email addresses with a
third-party seller. Third-party sellers are companies or individuals
who sell products on Amazon.

Amazon said it's working with law enforcement in support of the former
employee's prosecution. The company also said it blocked the
third-party seller from selling on the platform and reassured users
that no other info besides email addresses had been disclosed.

Amazon's email notification comes after the company announced
mid-September it was starting an investigationinto rumors that some of
its employees, especially in China, were selling customer data to
store owners.

The same report said Amazon employees were also deleting reviews for
bribe, helping some store owners gain an unfair advantage and having
products rank higher in search results.

It is unclear if the firing of this employee was related to last
month's investigation, although this would be the primary explanation
for Amazon suddenly discovering and releasing an employee for selling
customer data.

Amazon had previously appealed to its customers to report cases where
they received email spam from Amazon sellers.

The primary effect of Amazon staffers giving store owners access to
users' email addresses is that third-party sellers can then send
unsolicited emails with product catalogs. Amazon store owners don't
normally have access to users' email addresses.

Another effect would be that store owners could approach former
customers with discounts or other offers in exchange for the user
changing a previous negative review.

"We have zero tolerance for abuse of our systems and if we find bad
actors who have engaged in this behavior, we will take swift action
against them, including terminating their selling accounts, deleting
reviews, withholding funds, and taking legal action," an Amazon
spokesperson told ZDNet last month.

The full text for yesterday's email notification is below:

"We are writing to let you know that your email address was disclosed
by an Amazon employee to a third-party seller on our website in
violation of our policies. As a result, the employee has been
tarminated and we are supporting law enforcement in their prosecution.
The third-party seller has been blocked. This is not a result of
anything you have done, and there is no need for you to take any

More information about the BreachExchange mailing list