Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities. Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] …
I agree, even easier as there was no action required.
Hi [Name], We're writing to notify you that your account is among a number which *have* been involved in a security breach. Please log into your account using your normal route to see further information and what steps, if any, to take next. As always, please do not click on links on emails, we will never ask for your details..... blah blah
If a reset is required, deal with it when a log in is attempted, not using an email link. Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners and images, so people are not trained this way.
Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners
Some time ago, our marketing team wanted a whole slew of twitter/FB/LinkedIn/etc etc buttons added to the bottom of every outgoing email. Even if we were willing to do that (email is a 7-bit ASCII mechanism dammit!) we managed to come up with a (cough) valid technical reason why not - the increase in file size.
The average email size (without attachments) was about 6K bytes. Once the buttons and associated JS were added, it balooned up to 200K.
We pointed this out to Marketing and let them know that increased costs in bandwidth and storage would be charged to them. Mysteriously, the request was withdrawn thereafter.
"If a reset is required, deal with it when a log in is attempted, not using an email link.
I've berated PayPal numerous times about sending emails with links to log in. Their communications often looked exactly like phishing attempts. While I'm a cynical old bastard, the vast majority a people are lazy idiots and will click links because "it's so much work" to type in a URL. Given that so many use their mobiles, they are right. I can bang out a URL on a proper keyboard in a blink, but without the tactile feedback, it's takes longer on the mobile and between my fat fingers and auto-correct, it can take some time.
They probably wanted to get it out ASAP. I sure as hell don't personalize my replies when I have to answer 10's of the same ticket...
Still, one would think the biggest tech company in the world would have a better system already in place for this.
Or a website that isn't vulnerable. One of the two.
Yep, I initially thought it looked dodgy when I received the same email yesterday. But the mailbox I use is only for that Amazon account and nothing else, and there were no spurious links in it or actions to take.
They could have done a much better job of the correspondence. But an explanation on exactly what prompted it in the first place would have been more appropriate and appreciated.
You only get 72 hours to contact the ICO here when you become aware of a breach.. you don't need to tell them what's happened just say "we dun goofed and will get back to you" but they will be slightly peeved if you don't get in touch for a few months as usual.
Not that they'll do anything mind.
This is a terrible email because it looks like a phishing scam. Because it didn't mention an action it wanted me to take such as clicking on a link, it wasn't obvious how this email would benefit a scammer. I studied the email header but it looked pretty genuine. Then I took to Google and it pointed me to this El Reg article.
I've spent £1,000's with Amazon over the last 13 years and I would expect a decent email from them including an APOLOGY for disclosing my personal details. It doesn't even greet me by name or link to further information to explain in what way my details were disclosed, when the breach happened and how long it exposed my details for.
I feel really let down and would prefer never to use them again to teach them a lesson, but they obviously wouldn't even notice my missing custom and they know I'd lose out more than they would. I only hope the ICO have put their teeth in today.
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(
@GaryF
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(They've obviously mistaken you for Julian Assange. Seen any black helicopters lately?
"there'll be a stray cat waiting to follow you home and it will be hungry."
The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is.
Usually when you fall into the category of 'soft touch' by offering them food, they will then just turn their noses up at you with a look of disgust* to put you in your proper place.
*Unless a partcularly nice morsel. They aren't stupid. Just self absorbed.
The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is
I think I've failed that test - many, many, many times. That's probably why we have seven cats (age range - 12 years to 1 year. Youngest cat was (at this time last year) a two-month old stray living in a friends garden. Now spends a lot of time sleeping next to the radiator..)
They aren't stupid. Just self absorbed
Cat intelligence varies enormously according to the subject matter. Food happens to be a subject that they have PhD-level intelligence in.
They do a people delivery service already, a guy was found (naked) in a Amazon storage box in japan just this week.
Yeah, I got the spammy sounding email overnight; luckily this is an account I use for commercial sites I expect to spam me, so the spam filters on it are already set to "kill everything"
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain?
Ages ago somewhere in My Account I stumbled across an e-mail marketing page, disabled every tickbox, and have never had a marketing e-mail since. I assume this is still present.
I don't have a bloody cat, never had and never clicked on anything cat-like
It's the universe telling you that you are missing something essential from your life..
(Almost was late for work this morning - $YoungestCat decided that my lap was an appropriate place to curl up as I was eating breakfast..)
Might be useful:
Art. 82 GDPR Right to compensation and liability:
"...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
Data Protection Act 2018:
Section 168:
Compensation for contravention of the GDPR
(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.
He's making a listHe's checking it twice
He's gonna find out who's naughty or nice
Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
He has a legitimate interest if you're sleeping,
He knows if you're awake
He knows if you've been bad or good,
And his privacy policy determines the next action he'll take
...
So you'd better watch out.
You'd better not cry.
You cannot opt-out,
I'm telling you why.
Santa Claus has a legitimate interest in maintaining data on you and does not need to use the consent model of the GDPR.
[sorry about the scanning.]
Santa Claus is in contravention of article 4 of the General Data Protection Regulation
That was originally the view of the German town of Roth too.
Needless to say, the lawyers are already on the case.
Legal? Compliant?
A hairy alcoholic (16.8 million litres of sherry in one night?) with a sock fetish, dressed by a corporate sponsor in the sugar industry, commits serial breaking and entry, to bring sweets and gifts to certain kids that he has assessed as "nice." And the authorities have done nothing *NOTHING!*
Save us ICO - you're our only hope.
I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.
If you believe this looks phishy, then you're a ripe target for a well built phishing email.
You're basically stating, if it looks professional and is well written, then the email is legit.
Going off grammar or spelling is an method. Just look at the responses to this forum!
In fact, you should treat all unsigned external emails the same. No matter how they look or are written.
At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.
If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.
Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.
In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
