Security

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

$1tn biz doesn't answer very basic questions - like how or why it happened


Updated Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities.

Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] name and email address due to a technical error".

The email from Amazon, which included an HTTP link to its website at the end, read:

Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely, Customer Service

Amazon's UK press office acknowledged that the email was genuine, saying only: "We have fixed the issue and informed customers who may have been impacted."

The company did not answer our questions as to how many customers had been affected, whether it had informed the Information Commissioner's Office, what the cause of the breach was or how or when it had been spotted.

The ICO acknowledged our phone call seeking comment but has yet to get back to us.

Meanwhile, out in the badlands of Twitter, people from across the world were wondering whether they'd been spammed or whether the email was genuine:

Alden gives his location in his Twitter profile as Phoenix, Arizona, which is in the US. Others tweeting about it include folk in the Netherlands and what appears to be South Korea. ®

Update @ 1630 GMT

After we repeatedly poked Amazon’s UK press office with a pointy stick, they eventually agreed to say that this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.

The ICO eventually got round to telling us that it’s shrugging its shoulders.

“Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”

Meanwhile, Amazon’s customer service department initially thought the firm’s own notification email to affected customers was a phishing attempt. A suspicious reader, wondering whether the shonky-looking email was legitimate, sent it to Amazon customer services asking whether it was real, and got the response: “The e-mail you received wasn't from Amazon.co.uk, and we're investigating the situation … We can’t tell how phishers came to target your e-mail address.”

Click to enlarge

Send us news
78 Comments

Hardware quality problems and server supply chain kinks slow Amazon’s $100 billion AI build

Reverses life extensions for some servers it now feels aren’t useful in the inferencing age

Amazon, Google asked to explain why they were serving ads on sites hosting CSAM

And US government adverts at that, say senators

Amazon sued for allegedly slurping sensitive data via advertising SDK

Harvesting of location data and other personal info without user consent, lawsuit claims

Amazon-backed X-energy bags $700M more for itty-bitty nuke reactors that don't exist yet

Looking forward to someone putting the new into nuclear

Have I Been Pwned likely to ban resellers from buying subs, citing 'sh*tty behavior' and onerous support requests

'What are customers actually getting from resellers other than massive price markups?' asks Troy Hunt

DeepSeek's iOS app is a security nightmare, and that's before you consider its TikTok links

PLUS: Spanish cops think they've bagged NATO hacker; HPE warns staff of data breach; Lazy Facebook phishing, and more!

Amazon's Kuiper secures license to take on Starlink in the UK

Everybody is going to play nice, OK?

2 charged over alleged New IRA terrorism activity linked to cops' spilled data

Officer says mistakenly published police details were shared 'a considerable amount of times'

Grubhub serves up security incident with a side of needing to change your password

Contact info and partial payment details may be compromised

Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

PLUS: MGM settles breach suits; AWS doesn't trust you with security defaults; A new .NET backdoor; and more

Real datacenter emissions are a dirty secret

Amazon doesn't break out figures, but then again neither do Microsoft nor Google

CDNs: Great for speeding up the internet, bad for location privacy

Also, Subaru web portal spills user deets, Tornado Cash sanctions overturned, a Stark ransomware attack, and more