Amazon have written to multiple users informing them that their real names and email addresses have been revealed to other users of the site in what Amazon are describing as an ‘inadvertent’ disclosure.
(This article has been edited at Amazon’s request – previously we stated it was an Amazon ‘data breach’ and the wording has been amended to ‘inadvertent disclosure’)
There’s no explanation of how long the data has been exposed or how many people the information was exposed to. It appears possible that this Amazon inadvertent disclosure was sellers data being exposed to consumers in which case some sellers might even rejoice as Amazon typically limit communications to their own messaging system.
Some sellers could be very happy that their email addresses were revealed if it results in a few consumers contacting them directly for future purchases but that’s not the point – the issue is that the data should have been kept secure in the first place. It also appears that the Amazon inadvertent disclosure may not be limited to UK users.
We’ve received copies of the email from users that received it (below) and the good news is that no passwords or other secure information were released and Amazon claim that the issue has been fixed.
So far, it’s not clear if this Amazon inadvertent disclosure has been reported to the ICO which it appears likely it should be under GDPR, but as Amazon haven’t revealed when they discovered the issue. Under GDPR rules, a company must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If Amazon take longer than 72 hours to report the breach then they will be expected to explain their reasons for the delay to the ICO.
If you received the email are are worried about it’s authenticity then yes it is genuine and there doesn’t appear to be anything you can do about it currently.
“Hello,
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely,
Customer Service Department”
– Email from Amazon to those affected by the Amazon inadvertent disclosure
Amazon Statement
“We have fixed the issue and informed customers who may have been impacted.”
– Amazon
An Amazon spokesperson told us:
- This was not a breach of our website or any of our systems.
- Our website inadvertently disclosed email addresses and names due to a technical error that has been fixed.
- We emailed customers out of an abundance of caution to let them know their name and email address was disclosed.
10 Responses
I was amongst the lucky ones and received that magical, super short and super vague email from Amazon.
They should have included a bit more information on what exactly happened.
I think Amazon think themselves almost God like when it comes to this sort of thing and will only reveal further details IF forced to do so.
Comes back to the old saying ” The more you open your mouth, the more you can put your foot in it” and boy that can be true. B-)
When these companies get fined for whatever, price fixing or emissions scandels etc, it would be nice if those fines found their way back to the “affected”.
I’ll write that on my Christmas list.
Santa, are you listening.
Or maybe he’s too busy painting the ebay sign red.
Saw it on Ebay AUS yesterday, and bought a tear to my eye !!!!!!
I received the message from them which may explain why my phone which received texts of two step verification has suddenly started receiving messages appearing as Amazon saying my account need updating or it will be suspended and they are all coming i under the amazon number and are from numerous sources .com .de .it and so on. Plus VAT demands from them 46 texts in the last 2 days.
So it maybe that this is actually a bigger data breach than they are letting on.
Yep, me too.
No harm done, or I hope so!
Also had the email. Typical Amazon approach of treating their sellers with no respect whatsoever. It always amazes me how they throw such a good spin to their customers causing the majority to believe they are so wonderful while at the same time being as repugnant as possible to their sellers. It just makes me cringe when I read repeated cases on their forum of sellers having to try and decode their cryptic messages particularly when they are often innocently suspended and suffering loss of income.
I opened a seller account with them on 7th of October and they wouldn’t let me list anything I wanted to.
So the next day I tried to get into my account to close it and it was blocked so I couldn’t access it.
I phoned customer services and they said ” It’s blocked so we cannot access it”.
I said “I know, that’s why I’m phoning”.
They said we can’t do anything we will email the relevant department and they will contact you.
I received an email from the customer services rep I had spoken to asking me to email [email protected], which I did
By the 22nd of October nothing had happened so I phoned again and went through the same process all over again with the same result.
By 22nd of October nothing again so I phoned and emailed again.
Same result so I insisted on speaking to their manager who put me through to another department who asked for the card details I had signed up with (which they had taken £30 in fees for that day.) They said they would email the Accounts specialist department and ask them to deal with it urgently.
By 25th of October nothing again so I phoned and emailed again.
Same again, went through 2 departments. They said they would email the Accounts specialist department and ask them to deal with it urgently.
16th of November. Went through the whole procedure all over again.
I explained that I am told the same thing every week and they just say they will mark the email as urgent, they say they can only email the department, not speak to them.
They won’t put me through to anyone else and won’t let me know how to get through to complain about this department which takes my money but won’t speak to me or email me to let me access my account to cancel it.
It is now 22nd of November and after nearly 7 weeks of phone calls and emails they are still not responding.
Does anyone have any ideas or contact numbers please?
I am at my wits end.
I find it deeply worrying that Amazon are more concerned about watering down the media coverage than the rights of their sellers. What pressure did they put on Tamebay to change the terminology used ?
The ICO have a definition of a data breach at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/ – it states;
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
– access by an unauthorised third party;
– deliberate or accidental action (or inaction) by a controller or processor;
– sending personal data to an incorrect recipient;
– computing devices containing personal data being lost or stolen;
– alteration of personal data without permission; and
– loss of availability of personal data.”
By this definition, Amazon have most certainly been guilty of a breach, whether accidental or not. The lack of clarity in the email to their sellers (together with further breaches in terms of failing to identify the data controller etc) is deeply worrying.
Sadly, I doubt that the ICO will have the willingness to follow this up; they prefer to go after easier targets that won’t fight back with a budget bigger than the GDP of most third world nations, which will just demonstrate yet again that the mega-corporations are now totally above the law.