<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Mighty Amazon Cut Down in Black Friday Data Breach

Posted: 28 November 2018

Amazon Cut Down Black Friday Data Breach

There are many myths surrounding the creation and naming of Black Friday, that yearly American imported shopping bonanza, which seemingly includes almost anything these days. Including, the dark web where it was reported that cyber criminal gangs were selling stolen credit card details at a limited discount.

One such explanation for the name is that it is this time of year, with the build up to Christmas, that retailers go from a negative profit level to a positive one. And one can see why considering the levels of consumerism which takes place over the space of a week.

You can therefore imagine that it is the utmost importance to any retailer, big or small, that this crucial event run as smoothly as possible. Something which Amazon may look back on with unfavourably, as they were subject to a reported data breach, just two days before the main event (Wednesday 21st November).

Our first indication of this event was the mass email which Amazon distributed to its customer base, warning that a technical error on their website had meant that the personal data of its customers had been widely accessible. We later discovered the reported personal data items to be email addresses and customer names.

Currently, the exact demographic or geographical location of those affected remains unknown, despite experts speculating that it may involve customers in the UK, US and India based on the recipients of the warning email.

The ICO Shrugs its Shoulders

Naturally as a result, there is much commentary over how this might affect Amazon, in particular with respect to its obligations under the GDPR, which requires the data controller to report data breaches to the supervisory authority within 72 hours or discovering the breach, where the breach could risk the freedoms and rights of a natural person.

When the ICO (the UK Supervisory Authority) was questioned about the situation by an IT security news outlet, they received a canned response.

“Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and co-operate with other supervisory authorities where required.”

From the nature of the incident so far described by Amazon themselves, there is a data breach by definition under the GDPR, regardless of whether it was malicious or an internal error. Whether the personal data leaked could risk the rights and freedoms of natural persons is for both Amazon and the European Supervisory Authorities to determine. Watch this space.

[You may also be curious to read "What GDPR lessons can we learn from the Uber data breach"]

This however does not exonerate it from embarrassment at home, where the conditions for disclosing of a data breach event is much more rigid. Headquartered in Washington, Amazon is required by law to disclose details of a data breach to the state Attorney General, where it involves 500 or more state residents.

When Phishing is Not Phishing

Comically, it would seem that Amazon were much faster at pushing the customer notification email button than informing their own staff. The Register reports that some of its readers queried the notification email with customer support, worried that it was yet another Amazon themed phishing attempt. And despite it being genuine, customer support confirmed that it did not originate from Amazon.

It would seem there is a lot to be desired at Amazon, when it comes to security and internal communication.

Ultimately, it would seem that Amazon are seeking to play down the issue by admitting to only email addresses and names being at risk, presumably they believe that such personal information is far less important in the eyes of the public. 

Those in the know, know better. Particularly in the case of Amazon, knowing the username or email address completes half of the authentication process; and can lead to brute force password attacks or further phishing attacks in order to extract the password from the user themselves.

Amazon should be recommending the following steps:

  • Be additionally cautious of any emails purporting to be from Amazon, requiring you to sign into your accounts.
  • Ensure you are using a sufficiently strong password for your Amazon account.
  • Where possible, use multi-factor authentication to further strengthen the authentication process.

[You might also enjoy reading "Anti-Spam & Phishing Checklist: 5 Techniques which all Mail Filters should have switched on"]

Data Protection for Life GDPR Data Processing

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK
Share via:
    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts