Amazon has confirmed that customer names and email addresses have been disclosed in a Black Friday week data leak. The online retail giant wasn't hacked, there was no breach and there was no apology. There was just an email informing those customers involved (including me) there had been a 'technical error' which had resulted in names and email addresses being 'inadvertently disclosed.' Oh well, that's OK then. Not.
An email from Amazon arrived while I was on a train halfway between London and Leeds. It was not an email I wanted to read. The subject heading of 'Important information about your Amazon.com account' didn't bode well, and the message itself confirmed my suspicions.
"Hello, we're contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action."
That was it, short and not at all sweet. No information about how this happened and absolutely no apology for leaking my name and email address. The official media statement from Amazon was just as abrupt: "We have fixed the issue and informed customers who may have been impacted" it stated before adding, "Amazon takes all security-related matters very seriously and your account security is our top priority. We have policies and security measures in place to ensure that your personal information remains secure."
Not secure enough, it would seem. Even if, as the Amazon press office in the UK insisted after repeated questioning by The Register, this was "not a breach in the sense of a hack" but rather "an inadvertent technical error" it's still worrying that a corporation the size and profile of Amazon could have allowed the leakage to happen.
Although this appears not to be a breach in the sense of an attack on the customer data held at Amazon, such semantics are cold comfort for those people whose information has been leaked. "This rather looks like an inadvertent programming error that made some details of Amazon's profiles publicly available to random people" Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, told me in an email. Lev Lesokhin, vice president of strategy at software intelligence outfit CAST, adds that "Amazon's vulnerability showed even its development and IT Operations teams need to pay closer attention towards their software structural quality."
Of course, things could have been a lot worse. Assuming that no further data is found to have been exposed by whatever the problem at Amazon was, that only names and email addresses were exposed means that the data is of limited value to the criminal classes. Which isn't the same as no value at all as Richard Walters, CTO of security vendor CensorNet, points out. "Cyber criminals can do a lot of damage with a large database of names and emails" Walters says, "the greatest risk is of brute force attacks - where criminals use a leaked email address and common password combinations to try and break into other personal accounts." If Amazon customer have been using the same login credentials at other sites and services it could just mean a matter of joining the dots for an attacker to get access to a profitable resource.
This is especially true at the moment, with retail fraud attempts expected to rise by 14% across the Black Friday to Cyber Monday weekend according to research by payment provider ACI Worldwide.