Amazon gave numerous employees ‘free for all’ access to customer information which allowed low-level workers to see personal shopping history of celebrities and people they were romantically involved with, a new report alleges.
It has been claimed that customer service representatives were given the ability to look up any user’s purchase history on command to ensure quick assistance. One former service representative told Wired that colleagues would look up the purchases of celebrities including Kanye West or Marvel actors – including sensitive purchases such as sex toys.
Other staffers recalled employees looking up the data of exes and girlfriends or boyfriends – despite this being forbidden by Amazon’s policies.
The report, from Wired and Reveal, is based on a series of six-page memos between 2016 and 2018 between numerous Amazon executives, internal Amazon documents dating back to 2015, and interviews with former, anonymous, staff.
The system that “allows associates to quickly work on behalf of Amazon customers … puts those same customers at risk from intentional abuse and unintentional exposure by employees and contractors who have been entrusted with elevated privileges”, an internal memo reportedly read.
“We strongly reject the notion that abuse of these privileges is ‘common.’”, an Amazon spokesperson told Wired.
Amazon’s vast company network was allegedly “put together with tape and bubblegum,” according to cybersecurity executive Gary Gagnon who was Amazon’s vice president of information security in 2016.
Gagnon says he made attempts to increase his security staff – having only 300 on a team he believed should be 1000-strong – but was pushed back by Amazon higher-ups who would not provide the resources because it would increase overhead costs.
“I would tell new hires, ‘Assume your budget is zero and go from there. Just be as frugal as you can,’” Ellie Havens, a former business operations manager on the security team, recalled.
In addition, the report alleges that up to 24 million American Express credit card numbers, and customer names, had also been stored in Amazon’s internal network where they could have been vulnerable to attack.
The security team allegedly said they were unable to say whether the details had been accessed or not, because their access logs only went back 90 days.
“We had no idea what the exposure actually was,” Gagnon says. “I was astonished by that.”
It is claimed that one of the causes of these issues was Amazon’s 3,300 teams’ tendency to copy data and store it in various locations, according to a 2018 security memo, resulting in a “mostly undocumented proliferation of copies of their required data sets.”
Even before then, an attempt to map all of Amazon’s data in 2016 by its security team reportedly proved impossible.
Amazon told Wired that “there is no evidence to suggest the data was ever exposed outside of our internal system in any way.”
Another reported scandal saw Chinese data firms been harvesting millions of customers’ information using a backdoor in a tool that allows third-party developers to look at their own metrics. Using AMZReview, a service advertised as a way for sellers to boost their Amazon rankings, third-part companies collected the ‘keys’ from 92 different sellers to unlock huge amounts of information without the knowledge of 16 million customers.
AMZReview gave sellers access the personal email address attached to customers – allegedly allowing them to target buyers leaving bad reviews and entice them to remove them with special offers – but these had allegedly been collected from “other open and breached sources”, Wired says.
One memo said that over half of the third-party developers the Amazon had researched were violating its terms of service. When Amazon discovered companies doing this, it claims that it cut them off; it also used an outside auditor to ensure companies complied with the rules.
“Across 25 years in business, Amazon has an exceptional track record of protecting customer data and has invested billions of dollars to build systems and processes to keep data secure”, an Amazon spokesperson told The Independent in an emailed statement.
“We have relentlessly high standards for security and privacy, and we continuously assess and implement new measures when we see opportunity to further strengthen our protections. The claims made in the WIRED story are based on information that is outdated and out-of-context and have absolutely no bearing on Amazon’s current security posture.”