The $1 trillion company is unaware about the causes of the incident
Amazon has suffered a security incident in its data management system, according to specialists in digital forensics from the International Institute of Cyber Security, it is unknown if the company has already notified to the authorities about the situation; in addition, the causes of the incident or any related technical details are still undisclosed.
Multiple users of the Internet sales site have reported that the site has inadvertently disclosed their names and email address due to a technical error. The Amazon security notice, which included an HTTP link to its website at the end, mentions:
We are writing to inform you that our website has inadvertently disclosed your name and email address due to a technical error. The problem has been solved. This is not the result of any user activity, and you do not need to change your password or perform any other action.
Sincerely: Amazon Customer Service.”
The Amazon press office in the United Kingdom acknowledged that this message is genuine and added: “We have solved the problem and informed customers that they might have been affected,” reports specialized media in cybersecurity and digital forensics.
The company did not respond to questions about the number of clients affected, whether the Information Commissioner Office (ICO) has already been notified, the possible causes of the incident, or when it was detected.
Meanwhile, Twitter users around the world continue to wonder if the information they received from Amazon via email is legitimate or if they are exposed to a potential phishing campaign.
“The Amazon statement does not seem legitimate; it even contains a completely unnecessary link in the final part of the message,” posted in a tweet Drew Alden, one of the users who received the company’s email.
The company has decided to mention that this incident is not a data breach, stating that it is simply a technical error, and that notification to users has been carried out in the most discreet way possible. On the other hand, the ICO has not issued any statements yet.
According to specialists in digital forensics and information security, under the GDPR, organizations should evaluate whether an incident should be reported to the ICO, or to the equivalent supervisory agency in each country. It is always the company’s responsibility to identify when a European Union citizen has been affected as part of a data violation and take measures to mitigate the risks to consumers.
There was also an error in the company’s internal communication, as Amazon’s customer service department initially thought that the email of notification to affected customers was a phishing attempt. One of the affected users sent this message to Amazon customer services asking if it was real, and got a wrong answer: “The email you received is not from Amazon.co.uk, and we are investigating the situation… We don’t know how the perpetrators of this phishing campaign accessed your email information”.