Security

Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

$1tn biz doesn't answer very basic questions - like how or why it happened


Updated Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities.

Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] name and email address due to a technical error".

The email from Amazon, which included an HTTP link to its website at the end, read:

Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely, Customer Service

Amazon's UK press office acknowledged that the email was genuine, saying only: "We have fixed the issue and informed customers who may have been impacted."

The company did not answer our questions as to how many customers had been affected, whether it had informed the Information Commissioner's Office, what the cause of the breach was or how or when it had been spotted.

The ICO acknowledged our phone call seeking comment but has yet to get back to us.

Meanwhile, out in the badlands of Twitter, people from across the world were wondering whether they'd been spammed or whether the email was genuine:

Alden gives his location in his Twitter profile as Phoenix, Arizona, which is in the US. Others tweeting about it include folk in the Netherlands and what appears to be South Korea. ®

Update @ 1630 GMT

After we repeatedly poked Amazon’s UK press office with a pointy stick, they eventually agreed to say that this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.

The ICO eventually got round to telling us that it’s shrugging its shoulders.

“Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”

Meanwhile, Amazon’s customer service department initially thought the firm’s own notification email to affected customers was a phishing attempt. A suspicious reader, wondering whether the shonky-looking email was legitimate, sent it to Amazon customer services asking whether it was real, and got the response: “The e-mail you received wasn't from Amazon.co.uk, and we're investigating the situation … We can’t tell how phishers came to target your e-mail address.”

Click to enlarge

Send us news
77 Comments

Amazon hopes to avoid labor regulation by simply abolishing national watchdogs

Our right to exploit workers trumps your right to probe

Date set for for epic Amazon-FTC antitrust showdown

Lina Khan may not even be in charge of watchdog by time case gets to trial, if it even goes that far

Insider steals 79,000 email addresses at work to promote own business

After saying they're very sorry, they escape with a slap on the wrist

Dumping us into ad tier of Prime Video when we paid for ad-free is 'unfair' – lawsuit

Who could possibly have predicted this backlash?

Air National Guardsman Teixeira to admit he was Pentagon files leaker

Turns out bragging on Discord has unfortunate consequences

NTT boss takes early retirement to atone for data leak

No mere mea culpa would suffice after 9.2 million records leaked over a decade, warnings were ignored, and lies were told

Cops visit school of 'wrong person's child,' mix up victims and suspects in epic data fail

Data watchdog reprimands police force for confusing 2 people with same name and birthday to disastrous results

U-Haul tells 67K customers that cyber-crooks drove away with their personal info

Thieves broke into IT system using stolen login

ALPHV gang claims it's the attacker that broke into Prudential Financial, LoanDepot

Ransomware group continues to exploit US regulatory requirements to its advantage

Amazon overcharges shoppers with Buy Box algorithm, fresh lawsuit claims

Bazaar of Bezos buries bargains, allegedly

Southern Water cyberattack expected to hit hundreds of thousands of customers

Brit utility also curiously disappears from Black Basta leak site

FCC gets tough: Telcos must now tell you when your personal info is stolen

Yep, cell carriers didn't have to do this before