Amazon.com informed some customers on Wednesday that their names and email addresses had been “inadvertently disclosed” as a result of a “technical error,” but declined to provide more details about the security incident.
The e-commerce giant confirmed it sent the messages, adding in a subsequent statement it had “fixed the issue.” Amazon did not say how many of its users had been affected or where and how emails had been exposed. It only said that its website and other systems had not been breached.
Amazon chief executive Jeffrey P. Bezos owns The Washington Post.
Amazon’s limited disclosure comes days before the Black Friday and Cyber Monday holiday shopping frenzies, ahead of a season when holiday e-commerce sales estimated to total more than $123 billion, according to eMarketer. Its handling of the security lapse drew sharp criticism on social media. Among its own sellers, some took to the company’s forums to complain about Amazon’s tight-lipped handling of the matter. “Who knows what they’re not disclosing about this,” wrote one user. “Hopefully nothing. …”
Others questioned Amazon after it told users there’s “no need for you to change your password or take any other action,” fearing that hackers still might try to use their names and email addresses for nefarious purposes, including phishing scams.
It’s not the first time Amazon has run into security troubles. In October, the tech giant reportedly fired an employee who inappropriately shared customers’ emails with a third-party seller. The security lapse, which Amazon said it was working with law enforcement to investigate, similarly resulted in messages to customers indicating their email addresses had been exposed.
The latest incident, however, could embolden those who would like to see tech giants and other businesses disclose more information about security incidents to their customers. Over the past year, tech giants such as Facebook and Google have experienced more serious mishaps affecting their users’ personal data.
Currently, the federal government has no law requiring companies to tell consumers when their information has been stolen or compromised. Most states do have rules, but they generally only cover incidents in which sensitive personal information, like driver’s license numbers or credit-card information, is taken. That includes Amazon’s home state of Washington, where companies must inform residents of data breaches if the mishap includes the unauthorized disclosure of names along with information like Social Security numbers.
Send questions/comments to the editors.
Comments are no longer available on this story