Recently three former Amazon senior information security employees who do not want to be named revealed to the Politico (POLITICO) news network, Amazon’s lack of protection measures for the large amount of customer data collected, Amazon system security vulnerabilities put user data on the edge of the danger of being invaded, stolen and exploited. They believe that Amazon does not know where customer data is stored, the security management of system information is confused, and does not pay attention to the protection of customer data security and other issues.
One of the three former Amazon employees was an information security employee at an EU-based company, and the other two were former information security employees at a US-based company, as indicated below by EU information employee, US information employee A, and US information employee B, respectively.
Amazon not sure where customer data is stored
POLITICO reported on Feb. 24 of this year that according to U.S. information employees A and B, Amazon customer data is at risk because Amazon is not clear about what data it has, where it is stored and who has access to it.
“If you want the ‘right to be forgotten,’ it’s not even possible because it’s almost impossible for Amazon to determine where your data is anywhere in their system,” said U.S. Information Employee A. However, the right to be forgotten or have data deleted plays a very critical role for citizens under a number of privacy regimes, including those in Europe and California.
U.S. Information Employee B confirmed that Amazon was unaware of the large amount of personal information it held. “Amazon has grown so fast that it doesn’t know what it has …… They don’t know where their data is, so they (also) don’t know if they’re protecting it properly,” he said.
“You have thousands of …… teams that touch big data, and you should have a way to keep track of all the different types of data. From a technical standpoint, you need to know where the data is going and how to protect it. Yet, (in practice) it doesn’t work that way,” says U.S. Information Employee B.
System management is confusing and unrelated people are not restricted from accessing the system
The quality of Amazon’s control over the system (administration) was appalling,” said employee A. “We found that employees on thousands of accounts had been restricted from accessing the system. We found thousands of employees on accounts who were no longer at Amazon, but they still had system access. He added: “Based on my experience and my past experience, most people would not consider Amazon’s basic (administrative) controls for information technology to be competent …… management is poor.”
U.S. information employees B also pointed out that Amazon may not be able to properly control the management of access to the system, and, in a company that has more than 1 million employees, a large amount of personal information can be accessed by people who do not have the relevant responsibilities. He also noted that companies like Amazon should have top-notch data security protections because “the slightest misstep by Amazon can cost hundreds of thousands or even millions of users’ data.”
The POLITICO report said poor management means Amazon.com may not even detect a hacking attack. A June 2018 internal Amazon memo seen by one former employee concluded that the company faced a “very high potential” for significant financial loss or reputational damage because of its “inability to identify hostile events.”
The POLITICO report highlighted that one of the three former Amazon information security employees mentioned had seen Amazon claim in internal security reports from 2016 to 2017 that it was trying to patch 55 percent to 70 percent of its systems. U.S. information employee A described this as a “house with several windows and doors open” (a house with several windows and doors open).
Imagine what it would be like for a company the size of Amazon to be compromised,” said U.S. information employee A to POLITICO News. That’s millions of dollars of personally identifiable information at risk.”
Amazon.com management rejects information security officer’s report
The General Data Protection Regulation (GDPR) went into full effect in Europe on May 25, 2018. Companies can face fines of up to 4 percent of global turnover if they violate the regulation, such as in the event of a large data breach or collection of user data.
POLITICO reported, based on reflections from former Amazon employees, that it wasn’t until late April 2018, weeks before the regulation took effect, that Amazon set up a dedicated team in its information security department to address the new rules. “It’s sad that this company (Amazon) is so far behind,” the U.S. information employees said in response.
According to two former information employees, several attempts by EU-based information employees and others to report highlighting that Amazon has a breach of the General Data Protection risk and compliance gaps were returned with refusals well before the May 2018 deadline.
The documents and quarterly reports sent to senior executives allegedly listed the risks and vulnerabilities the company faced for violating the GDPR, and the reports went into detail on many of the issues. The documents were sent to Jeff Wilke, CEO of Amazon’s global consumer business, David Zapolsky, general counsel, and Brian Olsavsky, chief financial officer.
Employee who complained about problems was left in retaliation
Every former Amazon employee interviewed by the news network said they had been marginalized or eventually forced out because of concerns about the company’s data security posture or ability to comply, POLITICO reported. And, after trying to highlight their concerns in multiple ways, the retaliatory actions against them intensified.
All three employees said they felt excluded and marginalized so that they could no longer raise issues and they could not even perform control management functions within Amazon’s governance model. They found they were not invited to meetings, were not asked to write reports, or were not given exact information.
U.S. information employees B say that those of them who do report problems are either assigned to projects below their pay grade, have little to do with the position they were hired for, or are told to stop working on problematic projects, etc.
POLITICO notes that these statements by US Information Employee B mirror the description of another employee documented in legal documents seen by POLITICO.
U.S. information employee A also believes that Amazon is “systematically rooting out” those who raise compliance issues.
An Amazon spokesperson claimed that no employee had left the company because of concerns about data security compliance issues. The allegations appear to have come from employees who had ongoing problems at the company and decided to leave.
It is reported that EU-based information employees are currently engaged in legal proceedings in a Luxembourg court over the terms of their departure.
U.K. academics have also cited security problems with Amazon’s information management
POLITICO reports that British academic Garfield Benjamin, who has written about Amazon’s privacy vulnerabilities, said the company’s “disregard for privacy and security” suggests “big problems “.
In presenting his findings to POLITICO, Benjamin stressed, “It seems odd – and unfortunately all too common – that a company so keen on making data a major part of its business would have such poor practices.” He said, “Could it be that they are so arrogant, so cocky, that they even think they have such impeccable power that they think they are completely inviolable?”
The consequences of Amazon data falling into the hands of the dangerous
Amazon is one of the most powerful players among large technology companies when it comes to data, thanks to the vast amount of customer information it collects through its e-commerce platform, its online advertising business and its vast Cloud Computing system and Amazon Web Services (Amazon Web Services).
Amazon has data including order history, payment information, data collected through its advertising business, for sellers on its platform, the need to provide proof of identity, and so on.
Once in the hands of dangerous people, this data can be used to extort ransom for online distribution, used to trick customers and used to log into other online accounts; the data plays a leveraging role in phishing attacks, where stolen data is used to trick victims into paying fees or revealing more sensitive information.
Recent Comments