back to article Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities. Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] …

  1. I can't believe its not butter

    WTF?

    If I saw an email like that, my brain would be screaming "SCAM".

    "Hello" - no name etc. FFS, what ever made them think that's acceptable?

    1. cbars Bronze badge

      Re: WTF?

      I agree, even easier as there was no action required.

      Hi [Name], We're writing to notify you that your account is among a number which *have* been involved in a security breach. Please log into your account using your normal route to see further information and what steps, if any, to take next. As always, please do not click on links on emails, we will never ask for your details..... blah blah

      If a reset is required, deal with it when a log in is attempted, not using an email link. Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners and images, so people are not trained this way.

      1. CrazyOldCatMan Silver badge

        Re: WTF?

        Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners

        Some time ago, our marketing team wanted a whole slew of twitter/FB/LinkedIn/etc etc buttons added to the bottom of every outgoing email. Even if we were willing to do that (email is a 7-bit ASCII mechanism dammit!) we managed to come up with a (cough) valid technical reason why not - the increase in file size.

        The average email size (without attachments) was about 6K bytes. Once the buttons and associated JS were added, it balooned up to 200K.

        We pointed this out to Marketing and let them know that increased costs in bandwidth and storage would be charged to them. Mysteriously, the request was withdrawn thereafter.

      2. MachDiamond Silver badge

        Re: WTF?

        "If a reset is required, deal with it when a log in is attempted, not using an email link.

        I've berated PayPal numerous times about sending emails with links to log in. Their communications often looked exactly like phishing attempts. While I'm a cynical old bastard, the vast majority a people are lazy idiots and will click links because "it's so much work" to type in a URL. Given that so many use their mobiles, they are right. I can bang out a URL on a proper keyboard in a blink, but without the tactile feedback, it's takes longer on the mobile and between my fat fingers and auto-correct, it can take some time.

    2. ds6 Silver badge
      IT Angle

      Re: WTF?

      They probably wanted to get it out ASAP. I sure as hell don't personalize my replies when I have to answer 10's of the same ticket...

      Still, one would think the biggest tech company in the world would have a better system already in place for this.

      Or a website that isn't vulnerable. One of the two.

      1. Stevie

        Re: WTF?

        So how come they didn't have a more businesslike template pre-prepared? It was only a matter of time before they were going to need it.

        1. kend1
          Joke

          Re: WTF?

          Its a fake. A real letter of apology would have included a cc: list of twenty one thousand names and email addresses. And it would be signed by Jen Barber.

          1. GnuTzu
            Meh

            Re: WTF? -- BCC

            That was worth half a chuckle, but it's at least nice to know that Amazon knows how to use BCC--given that others have caused damage by not using CC instead of BCC.

          2. Stevie
            Pint

            4 kend1

            Norty man. Have an e-beer.

    3. Anonymous Coward
      FAIL

      Re: WTF?

      Nope, more lies and uintruths.

      "Amazon suffers data snafu days before Black Friday, emails world+dog"

      No they didn't. They showed real names and email on their website, rather than usernames and user email.

      Who writes this crap?

      1. Pascal Monett Silver badge

        @ Fred West

        Instead of complaining endlessly how this site is crap, why don't you just leave and go to a site you like ?

    4. Goldmember

      Re: WTF?

      Yep, I initially thought it looked dodgy when I received the same email yesterday. But the mailbox I use is only for that Amazon account and nothing else, and there were no spurious links in it or actions to take.

      They could have done a much better job of the correspondence. But an explanation on exactly what prompted it in the first place would have been more appropriate and appreciated.

  2. Halfmad

    Best not be too tight lipped Amazon

    You only get 72 hours to contact the ICO here when you become aware of a breach.. you don't need to tell them what's happened just say "we dun goofed and will get back to you" but they will be slightly peeved if you don't get in touch for a few months as usual.

    Not that they'll do anything mind.

  3. Gary F
    Flame

    I received this scam-like email - thanks for verifying El Reg

    This is a terrible email because it looks like a phishing scam. Because it didn't mention an action it wanted me to take such as clicking on a link, it wasn't obvious how this email would benefit a scammer. I studied the email header but it looked pretty genuine. Then I took to Google and it pointed me to this El Reg article.

    I've spent £1,000's with Amazon over the last 13 years and I would expect a decent email from them including an APOLOGY for disclosing my personal details. It doesn't even greet me by name or link to further information to explain in what way my details were disclosed, when the breach happened and how long it exposed my details for.

    I feel really let down and would prefer never to use them again to teach them a lesson, but they obviously wouldn't even notice my missing custom and they know I'd lose out more than they would. I only hope the ICO have put their teeth in today.

    Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(

    1. Florida1920

      Re: I received this scam-like email - thanks for verifying El Reg

      @GaryF

      Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(
      They've obviously mistaken you for Julian Assange. Seen any black helicopters lately?

      1. m0rt

        @Gary F Re: I received this scam-like email - thanks for verifying El Reg

        "I don't have a bloody cat, never had and never clicked on anything cat-like."

        Weirdo.

    2. Ken 16 Silver badge
      Trollface

      catalogue shopping

      Haven't you heard, pets by post is the next service from Amazon. When next you open an Amazon locker there'll be a stray cat waiting to follow you home and it will be hungry.

      1. Bowlers

        Re: catalogue shopping

        'Haven't you heard, pets by post is the next service from Amazon. When next you open an Amazon locker there'll be a stray cat waiting to follow you home and it will be hungry.'

        Not by post, that's why they tested delivery by drone.

        1. m0rt

          @Ken Re: catalogue shopping

          "there'll be a stray cat waiting to follow you home and it will be hungry."

          The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is.

          Usually when you fall into the category of 'soft touch' by offering them food, they will then just turn their noses up at you with a look of disgust* to put you in your proper place.

          *Unless a partcularly nice morsel. They aren't stupid. Just self absorbed.

          1. CrazyOldCatMan Silver badge

            Re: @Ken catalogue shopping

            The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is

            I think I've failed that test - many, many, many times. That's probably why we have seven cats (age range - 12 years to 1 year. Youngest cat was (at this time last year) a two-month old stray living in a friends garden. Now spends a lot of time sleeping next to the radiator..)

            They aren't stupid. Just self absorbed

            Cat intelligence varies enormously according to the subject matter. Food happens to be a subject that they have PhD-level intelligence in.

        2. Anonymous Coward
          Anonymous Coward

          Re: catalogue shopping

          Surely most cats are light enough that you could just deliver them by cannon?

          (j/k: I'm a cat-lover too!)

          1. Anonymous Coward
            Anonymous Coward

            No other security software?

            "(j/k: I'm a cat-lover too!)"

            Isn't there a law against that kind of thing?

        3. DuchessofDukeStreet

          Re: catalogue shopping

          I like cats a lot, but I ain't going within a hundred yards of an angry moggy that's been dropped off by a drone - I also like my skin, my clothes and my eyeballs...

          1. Mark 110

            Re: catalogue shopping

            I don't supposed you were pricing Cat-5 cable once? And confused the AI.

        4. David 132 Silver badge
          Coat

          Re: catalogue shopping

          Not by post, that's why they tested delivery by drone.

          Well you can’t get them to walk there... that’s just pussy-footing around.

        5. Ken 16 Silver badge

          Drone space is reserved for Vietnamese Pot Belly Pigs

      2. Anonymous Coward
        Anonymous Coward

        Re: catalogue shopping

        They do a people delivery service already, a guy was found (naked) in a Amazon storage box in japan just this week.

        Yeah, I got the spammy sounding email overnight; luckily this is an account I use for commercial sites I expect to spam me, so the spam filters on it are already set to "kill everything"

      3. Sgt_Oddball

        Re: catalogue shopping

        I feel an experiment coming on....

        Amazon order confirmation.

        1# Cat

        2# Geiger counter

        3# Radio isotope

        4# Hydrocyanic acid

        5# Spring-loaded hammer

    3. Dan 55 Silver badge

      Re: I received this scam-like email - thanks for verifying El Reg

      Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain?

      Ages ago somewhere in My Account I stumbled across an e-mail marketing page, disabled every tickbox, and have never had a marketing e-mail since. I assume this is still present.

    4. CrazyOldCatMan Silver badge

      Re: I received this scam-like email - thanks for verifying El Reg

      I don't have a bloody cat, never had and never clicked on anything cat-like

      It's the universe telling you that you are missing something essential from your life..

      (Almost was late for work this morning - $YoungestCat decided that my lap was an appropriate place to curl up as I was eating breakfast..)

  4. N2

    Apology?

    No,

    Just shows what sort fo company they really are.

    Any small biz behaving like that would get fucked over by the ICO.

  5. Anonymous Coward
    Anonymous Coward

    AWS?

    Apparently even Amazon can't secure a bucket properly.

    1. Anonymous Coward
      Anonymous Coward

      Re: AWS?

      piss poor that they reference http not https too.

    2. Flywheel

      Re: AWS?

      There's a Hole in My Bucket, dear Liza, dear Liza...

  6. Anonymous Coward
    Anonymous Coward

    Support denies it

    Just called their customer service after forwarding the email to their phishing address. They denied everything. Nice chap though.

  7. David Nash Silver badge

    Coincidence? Maybe not.

    I received a fake Amazon Marketplace email but it was obvious from the Subject and Sender that it wasn't real. It had [URGENT] in the subject which clearly marked it out as spam.

    I deleted without opening it. Maybe this was the source.

  8. I_am_not_a_number

    Amazon can't just brush it under the carpet now...

    Might be useful:

    Art. 82 GDPR Right to compensation and liability:

    "...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

    Data Protection Act 2018:

    Section 168:

    Compensation for contravention of the GDPR

    (1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.

  9. Anonymous Coward
    Trollface

    Nothing to worry about

    They were just releasing the names and addresses of well-behaved children to Santa & his elves to ensure a pressie was left in their sock by Amazon Prime.

    1. Aqua Marina

      Re: Nothing to worry about

      He's making a list

      He's checking it twice

      He's gonna find out who's naughty or nice

      Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679

      1. LeahroyNake

        Re: Nothing to worry about

        Omg have another upvote ! Best post of the day by far ;D

      2. Steve Foster
        Childcatcher

        Re: Nothing to worry about

        Except that this would essentially fall under "legitimate interests", providing that he has made sure to do the proper notifications and publish an appropriate privacy policy.

        What, you deleted that email from Santa?

        1. I ain't Spartacus Gold badge
          Happy

          A synthesis of the two is needed perhaps?

          He's making a list

          He's checking it twice

          He's gonna find out who's naughty or nice

          Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679

          He has a legitimate interest if you're sleeping,

          He knows if you're awake

          He knows if you've been bad or good,

          And his privacy policy determines the next action he'll take

          ...

          So you'd better watch out.

          You'd better not cry.

          You cannot opt-out,

          I'm telling you why.

          Santa Claus has a legitimate interest in maintaining data on you and does not need to use the consent model of the GDPR.

          [sorry about the scanning.]

      3. Warm Braw

        Re: Nothing to worry about

        Santa Claus is in contravention of article 4 of the General Data Protection Regulation

        That was originally the view of the German town of Roth too.

        Needless to say, the lawyers are already on the case.

      4. Anonymous Coward
        Anonymous Coward

        Re: Nothing to worry about

        Surely Santa is legally compliant?

        It's an opt-in list: if you don't write a letter to Santa in the first place, you don't (assuming that you have indeed been good) get any presents, right? Surely everyone knows that...?

        1. activereachmax
          Childcatcher

          Legal? Compliant?

          A hairy alcoholic (16.8 million litres of sherry in one night?) with a sock fetish, dressed by a corporate sponsor in the sugar industry, commits serial breaking and entry, to bring sweets and gifts to certain kids that he has assessed as "nice." And the authorities have done nothing *NOTHING!*

          Save us ICO - you're our only hope.

        2. Steve K

          Re: Nothing to worry about

          In order to record goodness (or lack thereof) then he must already have a list (from previous mailings) and be retaining that information.

          1. Richard 12 Silver badge

            Re: Nothing to worry about

            The elves argue that the list is necessary to provide the service.

      5. Anonymous Coward
        Anonymous Coward

        Re: Nothing to worry about

        DAMN, Earworm alert!!!

        Got that running around in my head now; but even just thinking it, my brain is falling over whilst trying to get the whole GDPR bit into the tune.

  10. Anonymous Coward
    Anonymous Coward

    Got one this morning. Asked amazon to clarify when it was leaked, and how many people saw it etc etc.... no reply.

  11. Aodhhan

    Apparently not responses from real Security Professionals

    I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.

    If you believe this looks phishy, then you're a ripe target for a well built phishing email.

    You're basically stating, if it looks professional and is well written, then the email is legit.

    Going off grammar or spelling is an method. Just look at the responses to this forum!

    In fact, you should treat all unsigned external emails the same. No matter how they look or are written.

    At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.

    If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.

    Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.

    In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.

    1. Ragarath
      Stop

      Re: Apparently not responses from real Security Professionals

      I'm pretty sure most people, at least here on el'reg are not saying that the only way they check is if an email is properly written. An email having grammatical/spelling errors is just a big warning sign and the most obvious.

      I've managed to get almost all of my users forwarding on messages of this type if they are unsure. And yes legitimate emails can come in with similar errors especially if you work with foreign companies etc. I've even seen some from British companies.

      I've also got most checking links in emails before clicking and if possible going direct to the site and not via the link. This is much harder though, people going about their jobs want things to be easy. In their ind IT will clear up any issues... at least until I point out that the policy say they are to check these things first.

  12. ukgnome

    For once I haven't been included in a breach.

    Huzzah

    1. Anonymous Coward
      Anonymous Coward

      For once I haven't been included in a breach.

      On the basis of previous breaches, it is normal for belated discovery of how many records were exposed, when, and who the data applied to.

      So for once, you haven't yet been notified that your data may have been included in this breach?

      So I wouldn't go as far as Huzzah, but you might want to give a resounding Huh.

      1. ukgnome

        Ooh what a bitter cynic, can't you just let me have my joy for once?

  13. Gonzo wizard

    Oh FFS

    I got one of these. No idea how easy it was to find my details. No indication of how long they were exposed for. And yes nothing about informing the ICO.

    If I was Amazon I'd be analyzing my logs to to at least work out if this data has been mined systematically or not. Potentially somebody has my home address and a list of all the products I've reviewed. Fantastic. Time to stop doing product reviews altogether...

  14. chris street

    Make a subject access request....

    I've spent a half hour on chat with one of the bots, sorry I mean customer assistants.

    It's real.

    They are not reporting to the ICO.

    they have no idea what a subject access request is....

    This is not going to end well for them. Start making SAR's and asking where that information went and they might take notice....

    1. Anonymous Coward
      Anonymous Coward

      Re: Make a subject access request....

      Funny my cs rep denied it even when i read it out. He repeated the text of the email i got when i forwarded it to stop spoofing email.

      Gmail is saying the original notification email is signed by amazon.

      I wants my compo

    2. Aqua Marina

      Re: Make a subject access request....

      "t's real.

      They are not reporting to the ICO."

      Time for some nice helpful people to assist with the reporting process methinks.

      1. This post has been deleted by its author

  15. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Last week, I started receiving emails at my Amazon registered email address from gg.com asking if I wanted to write reviews on Amazon in return for free stuff. Maybe this breach is bigger than they claim...

  16. Lloyd

    Interesting

    I've received no letter which may be because I closed my account, however they did say when I closed my account that they would keep my name, address and order details on their systems for "audit purposes" which potentially means it's been breached but they haven't informed me as my account's closed.

  17. Anonymous Coward
    Anonymous Coward

    I've just received one of these - in plain text. Not even a URL link. The email address it came from was order-update@a*****n.co.uk, which isn't even the customer services department.

    I'm not happy.

  18. N2

    WTF???

    Amazons response to me:

    The e-mail you received wasn't from Amazon.co.uk, and we're investigating the situation. We suggest you never respond to any e-mail message that asks you to provide personal or financial information, open an unsolicited attachment, or navigate to a website linked to in the e-mail.

    1. Mark 85

      Re: WTF???

      Sounds like the left hand doesn't know what the right hand is doing. I'm thinking this old concept applies: " 10% never get the word. The other 90% don't pay attention to it".

  19. Anonymous Coward
    Anonymous Coward

    "Organisations must assess if a breach should be reported"

    "Organisations must assess if a breach should be reported"

    And this is why so much legislation is toothless: it's left up to companies to determine whether they think a breach should be reported.

    Just like Safe Harbor\\\\\\\\\\\Privacy Shield "compliance" is determined via "self certification" by the marketing weasels: "Of course you can trust us with your Personal Data, we don't bite (much, honest)!" We've said we are compliant, so of course we are.

    The whole point of having regulatory bodies is for them to do the regulating (and the hitting with big sticks, when necessary, too).

    I mean, the ICO won't even accept complaints from the public until you have raised your concern with whichever dodgy organisation has misused your data first (and it's not exactly the best idea to have to actually confirm any of your personal details to any of the real dodgy operators out there who had originally vacuumed them up from some even more dubious "genuine marketing lead mailing list", do you think they give a figgy pudding about data protection compliance?).

  20. Anonymous Coward
    Anonymous Coward

    "Beware of Phishing" email looks suspiciously like a phishing email

    So the more detailed explanation essentially says that the original message was to warn amazonions that they might receive phishing emails? And not to click on links in suspicious emails? And A---Zon sent that message in an email that included a strange link?

    I heard a wonderful story on NPR (in the US) about Amazon's use of AI. If this is the byproduct, we should all be very afraid...

  21. This post has been deleted by its author

  22. Anonymous Coward
    Anonymous Coward

    amazon "customer service": we're investigating the situation

    ROTFL, if they say so, it must be true!

  23. Anonymous Coward
    Anonymous Coward

    Why not include some info that only Amazon would have

    But isn't sensitive, like your last order number. Add it on the bottom: To aid you in verifying the legitimacy of this communication, your last Amazon order number was 23462098 on Oct 15, 2018.

    While that information could be had by someone who breaks into your email account, then you are being targeted by spear phishers which is a whole other class of attack.

  24. Arachnoid

    Funnily enough

    This has come up on the very same day Tourtech UK Ltd [ the motorcycle parts company] seem to have sent out a mass email to many customers with an attached receipt for work carried out to the sum of £351.24 . The source appears to be from their email server but they too seem to have neither registered on the ICO Public register nor reported the possible loss of customer data and are "investigating the matter".

  25. rcxb Silver badge

    Relevant Information

    I may be able to shine a little light in the darkness... I e-mailed security@amazon.com a week ago because I got a spammy e-mail specifically offering money to write product reviews on Amazon This is to an e-mail address I only give out to family and retailers I similarly trust with my credit card data.

    It's not the first time I've gotten targeted emails that seem to know I'm a highly rated reviewer on Amazon, but this time they failed to use the BCC field and supplied me with a list of dozens of e-mail addresses that clearly look valid. Not remotely sequential, not dictionary words stuck together, not brute-forcing all random combos, etc. Clearly a list of personal e-mail addresses.

    I requested they check the list of addresses against their user database to confirm or disprove my strong suspicion that their website is somehow being coaxed into leaking private customer e-mail addresses. Then came the Amazon e-mail early this morning...

    Purely speculating now, I wonder if this is related to the phenomenon of lots of new merchant accounts popping up on Amazon, which claim to have millions of items at absurdly low prices, then either send a tracking number for unrelated packages (to stall for time) or else don't even bother pretending they have ever shipped anything. In either case they're playing a numbers game, waiting until their feedback and refund rate is bad enough that Amazon blacklists them, but in the mean time collecting angry e-mails forwarded through Amazon's e-mail proxying system of people asking where their items have gone.

  26. Miss_X2m1

    Small Potatoes

    I received that email as well and I'm located in the USA. I think Amazon has a saboteur in their company. Not only the problem of emails and names being exposed but also thousands of customers who were banned from reviewing their purchases and all their past purchase reviews removed without explanation. Amazon is aware there's a huge problem but rooting out the cause is apparently proving difficult. The Wall Street Journal wrote an article a few months ago https://www.wsj.com/articles/amazon-investigates-employees-leaking-data-for-bribes-1537106401

    "Amazon Investigates Employees Leaking Data for Bribes Employees, through intermediaries, are offering internal data to help merchants increase their sales on the website."

  27. jliv

    Outrageous!

    Opinion, opinion, indignation, opinion, blah, blah, blah, opinion. Further opinion, rant, apology, rant, opinion.

    Signed,

    Someone with an opinion

  28. Pascal Monett Silver badge

    This is an interesting development

    rcxb and Miss_X2m1 have brought my attention to the fact that I too have been receiving so-called notifications apparently from Amazon of things waiting for me at my post office, with a helpful link to some page that is neither a Post Office site nor Amazon.

    Of course, not being part of the numpties that click on links from unknown entities, I just controlled that the link was suspicious and trashed the mail forthwith.

    Now, though, I have to wonder : is this part of the consequences of the breach-that-was-not-a-hack ? I live in France, so if it is, the problem is much larger than just the UK (since Miss_X2m1 is USA-based).

  29. Moog42

    Is it lunch yet?

    I'm just waiting till after lunch to follow this up with my legitimate scam phishing email... click here to secure your account etc...

  30. EnviableOne
    FAIL

    Not their only problem

    They let you add new authenticators for 2FA, but not disable the old ones

    Not sure they see the problem ....

  31. Couldbe

    I got one too and sent a screenshot to Amazon UKs twitter account twice and they just ignored me.

    That's the problem with self regulation, it's hard to prove that amazon hasn't done the reporting assessment properly. At the moment it certainly looks like they're ignoring it and hoping we'll go away.

  32. Mage Silver badge

    I heard about this.

    So I've changed my password anyway, even though they didn't contact me. I'm still puzzled as to why my Author / book selling activities have to use the same account as me as a retail customer. Maybe I made a mistake at setup time.

    I don't trust them.

    I could write an essay about their misleading retailing to Irish customers and misleading deals for Authors.

  33. Mage Silver badge

    Dodgy procedures

    If you have someone's Amazon Kindle Serial number you can report it "missing" or "stolen". They will brick it in sense of blocking connection or registration.

    They will not unblock if you "find" it.

    They will do it without proof that it's actually the owner reporting it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like