Amazon’s sprawling retail empire heaves with data — and apparently the dam bursts rather easily, according to a report that broke Thursday.
Reveal from the Center for Investigative Reporting and tech outlet Wired reviewed Amazon documents that illuminated a critical failure to protect the information of consumers and merchants on the platform. Rank-and-file employees reportedly had access to a deep well of account information, leading to cases of snooping, as well as bribery by external bad actors looking to peer into seller accounts and knock off products.
In one such case, a party known as Krasr — identified as Toronto’s Mohamed Multhazim Akbar Ali by CNBC in 2017 — targeted skin care seller Pure Daily Care. A memo noted that Krasr sourced contacts using LinkedIn and Facebook and paid them as much as $160,000 total over multiple years. Amazon caught and discharged seven staffers involved in the scheme.
In response to a WWD request for comment, Amazon spokeswoman Jen Bemisderfer explained that the company “referred Krasr to law enforcement in 2018 as we would do whenever we identify fraudulent activity affecting our customers. As soon as we became aware of this malicious activity, we removed the associated seller accounts and we will continue to enforce and remove seller accounts who have relations with Mohammed Multhazeem Akbar Ali, should any of these surface in the future.”
Whether Amazon responded appropriately may not be the critical issue, as catching someone after the fact is one thing. Identifying the systemic issues that led to the breaches in the first place is another.
The breaking report characterized the division responsible for securing customer data in its retail business as overwhelmed, understaffed and demoralized, partly due to frequent changes in leadership and the vast nature of the information it was tasked with protecting.
Meanwhile, Amazon, in pursuit of its mission “to be Earth’s most customer-centric company,” reportedly allowed workers enormous leeway to access customer data. The flexibility meant that low-level staffers could peek into the buying habits of famous people, take bribes from unscrupulous sellers for rival merchant data, rig marketplace reviews and more, the report claimed. Millions of credit card accounts appeared to be vulnerable, with the security team unable to tell if they were illicitly accessed. Apparently a Chinese data firm raked in information from millions of customers.
Amazon seems to believe that there’s no point in digging up old fodder. According to Bemisderfer, “the claims made in the Wired story are based on information that is outdated and out-of-context and have absolutely no bearing on Amazon’s current security posture.” The company invests billions of dollars to protect data, she pointed out, and it’s in a state of continuous, ongoing work to strengthen its systems.
That includes encouraging people to escalate issues quickly, she said, which can result in overstating or mischaracterizing risk. She believes that’s fine, as it allows issues to be identified and resolved as quickly as possible.
But the biggest security gaps tend to be human, not technical. How Amazon is approaching that aspect, for now, remains to be seen.
Bemisderfer noted that, with Amazon’s privacy and security issues extensively documented and reviewed, it is vigilant in identifying, escalating and responding to potential risks. “An objective review of the facts would have led to the same conclusion,” she added. “Unfortunately, that’s not the approach Wired took to the story and instead came with a predetermined narrative to paint Amazon and our approach to security in a negative light.”