Updated Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities.
Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] name and email address due to a technical error".
The email from Amazon, which included an HTTP link to its website at the end, read:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely, Customer Service
Amazon's UK press office acknowledged that the email was genuine, saying only: "We have fixed the issue and informed customers who may have been impacted."
The company did not answer our questions as to how many customers had been affected, whether it had informed the Information Commissioner's Office, what the cause of the breach was or how or when it had been spotted.
The ICO acknowledged our phone call seeking comment but has yet to get back to us.
Meanwhile, out in the badlands of Twitter, people from across the world were wondering whether they'd been spammed or whether the email was genuine:
When are companies like @Amazon going to realize how to write a proper breach letter? Once again this sounds scammy as shit and has a completely unnecessary link at the bottom. pic.twitter.com/va4i8ak1HW— Drew Alden - Looking for Work! (@ReanimationXP) November 21, 2018
Alden gives his location in his Twitter profile as Phoenix, Arizona, which is in the US. Others tweeting about it include folk in the Netherlands and what appears to be South Korea. ®
Update @ 1630 GMT
After we repeatedly poked Amazon’s UK press office with a pointy stick, they eventually agreed to say that this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.
The ICO eventually got round to telling us that it’s shrugging its shoulders.
“Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”
Meanwhile, Amazon’s customer service department initially thought the firm’s own notification email to affected customers was a phishing attempt. A suspicious reader, wondering whether the shonky-looking email was legitimate, sent it to Amazon customer services asking whether it was real, and got the response: “The e-mail you received wasn't from Amazon.co.uk, and we're investigating the situation … We can’t tell how phishers came to target your e-mail address.”