back to article Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities. Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] …

Page:

  1. I can't believe its not butter

    WTF?

    If I saw an email like that, my brain would be screaming "SCAM".

    "Hello" - no name etc. FFS, what ever made them think that's acceptable?

    1. cbars

      Re: WTF?

      I agree, even easier as there was no action required.

      Hi [Name], We're writing to notify you that your account is among a number which *have* been involved in a security breach. Please log into your account using your normal route to see further information and what steps, if any, to take next. As always, please do not click on links on emails, we will never ask for your details..... blah blah

      If a reset is required, deal with it when a log in is attempted, not using an email link. Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners and images, so people are not trained this way.

      1. CrazyOldCatMan Silver badge

        Re: WTF?

        Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners

        Some time ago, our marketing team wanted a whole slew of twitter/FB/LinkedIn/etc etc buttons added to the bottom of every outgoing email. Even if we were willing to do that (email is a 7-bit ASCII mechanism dammit!) we managed to come up with a (cough) valid technical reason why not - the increase in file size.

        The average email size (without attachments) was about 6K bytes. Once the buttons and associated JS were added, it balooned up to 200K.

        We pointed this out to Marketing and let them know that increased costs in bandwidth and storage would be charged to them. Mysteriously, the request was withdrawn thereafter.

      2. MachDiamond Silver badge

        Re: WTF?

        "If a reset is required, deal with it when a log in is attempted, not using an email link.

        I've berated PayPal numerous times about sending emails with links to log in. Their communications often looked exactly like phishing attempts. While I'm a cynical old bastard, the vast majority a people are lazy idiots and will click links because "it's so much work" to type in a URL. Given that so many use their mobiles, they are right. I can bang out a URL on a proper keyboard in a blink, but without the tactile feedback, it's takes longer on the mobile and between my fat fingers and auto-correct, it can take some time.

    2. ds6 Bronze badge
      IT Angle

      Re: WTF?

      They probably wanted to get it out ASAP. I sure as hell don't personalize my replies when I have to answer 10's of the same ticket...

      Still, one would think the biggest tech company in the world would have a better system already in place for this.

      Or a website that isn't vulnerable. One of the two.

      1. Stevie Silver badge

        Re: WTF?

        So how come they didn't have a more businesslike template pre-prepared? It was only a matter of time before they were going to need it.

        1. kend1
          Joke

          Re: WTF?

          Its a fake. A real letter of apology would have included a cc: list of twenty one thousand names and email addresses. And it would be signed by Jen Barber.

          1. GnuTzu Bronze badge
            Meh

            Re: WTF? -- BCC

            That was worth half a chuckle, but it's at least nice to know that Amazon knows how to use BCC--given that others have caused damage by not using CC instead of BCC.

          2. Stevie Silver badge
            Pint

            4 kend1

            Norty man. Have an e-beer.

    3. Fred West
      FAIL

      Re: WTF?

      Nope, more lies and uintruths.

      "Amazon suffers data snafu days before Black Friday, emails world+dog"

      No they didn't. They showed real names and email on their website, rather than usernames and user email.

      Who writes this crap?

      1. Pascal Monett Silver badge

        @ Fred West

        Instead of complaining endlessly how this site is crap, why don't you just leave and go to a site you like ?

    4. Goldmember

      Re: WTF?

      Yep, I initially thought it looked dodgy when I received the same email yesterday. But the mailbox I use is only for that Amazon account and nothing else, and there were no spurious links in it or actions to take.

      They could have done a much better job of the correspondence. But an explanation on exactly what prompted it in the first place would have been more appropriate and appreciated.

  2. Halfmad

    Best not be too tight lipped Amazon

    You only get 72 hours to contact the ICO here when you become aware of a breach.. you don't need to tell them what's happened just say "we dun goofed and will get back to you" but they will be slightly peeved if you don't get in touch for a few months as usual.

    Not that they'll do anything mind.

  3. Gary F
    Flame

    I received this scam-like email - thanks for verifying El Reg

    This is a terrible email because it looks like a phishing scam. Because it didn't mention an action it wanted me to take such as clicking on a link, it wasn't obvious how this email would benefit a scammer. I studied the email header but it looked pretty genuine. Then I took to Google and it pointed me to this El Reg article.

    I've spent £1,000's with Amazon over the last 13 years and I would expect a decent email from them including an APOLOGY for disclosing my personal details. It doesn't even greet me by name or link to further information to explain in what way my details were disclosed, when the breach happened and how long it exposed my details for.

    I feel really let down and would prefer never to use them again to teach them a lesson, but they obviously wouldn't even notice my missing custom and they know I'd lose out more than they would. I only hope the ICO have put their teeth in today.

    Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(

    1. Florida1920 Silver badge

      Re: I received this scam-like email - thanks for verifying El Reg

      @GaryF

      Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(
      They've obviously mistaken you for Julian Assange. Seen any black helicopters lately?

      1. m0rt Silver badge

        @Gary F Re: I received this scam-like email - thanks for verifying El Reg

        "I don't have a bloody cat, never had and never clicked on anything cat-like."

        Weirdo.

    2. Ken 16 Silver badge
      Trollface

      catalogue shopping

      Haven't you heard, pets by post is the next service from Amazon. When next you open an Amazon locker there'll be a stray cat waiting to follow you home and it will be hungry.

      1. Bowlers

        Re: catalogue shopping

        'Haven't you heard, pets by post is the next service from Amazon. When next you open an Amazon locker there'll be a stray cat waiting to follow you home and it will be hungry.'

        Not by post, that's why they tested delivery by drone.

        1. m0rt Silver badge

          @Ken Re: catalogue shopping

          "there'll be a stray cat waiting to follow you home and it will be hungry."

          The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is.

          Usually when you fall into the category of 'soft touch' by offering them food, they will then just turn their noses up at you with a look of disgust* to put you in your proper place.

          *Unless a partcularly nice morsel. They aren't stupid. Just self absorbed.

          1. CrazyOldCatMan Silver badge

            Re: @Ken catalogue shopping

            The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is

            I think I've failed that test - many, many, many times. That's probably why we have seven cats (age range - 12 years to 1 year. Youngest cat was (at this time last year) a two-month old stray living in a friends garden. Now spends a lot of time sleeping next to the radiator..)

            They aren't stupid. Just self absorbed

            Cat intelligence varies enormously according to the subject matter. Food happens to be a subject that they have PhD-level intelligence in.

        2. Anonymous Coward
          Anonymous Coward

          Re: catalogue shopping

          Surely most cats are light enough that you could just deliver them by cannon?

          (j/k: I'm a cat-lover too!)

          1. Anonymous Coward
            Anonymous Coward

            No other security software?

            "(j/k: I'm a cat-lover too!)"

            Isn't there a law against that kind of thing?

        3. DuchessofDukeStreet

          Re: catalogue shopping

          I like cats a lot, but I ain't going within a hundred yards of an angry moggy that's been dropped off by a drone - I also like my skin, my clothes and my eyeballs...

          1. Mark 110 Silver badge

            Re: catalogue shopping

            I don't supposed you were pricing Cat-5 cable once? And confused the AI.

        4. David 132 Silver badge
          Coat

          Re: catalogue shopping

          Not by post, that's why they tested delivery by drone.

          Well you can’t get them to walk there... that’s just pussy-footing around.

        5. Ken 16 Silver badge

          Drone space is reserved for Vietnamese Pot Belly Pigs

      2. Ian Emery Silver badge

        Re: catalogue shopping

        They do a people delivery service already, a guy was found (naked) in a Amazon storage box in japan just this week.

        Yeah, I got the spammy sounding email overnight; luckily this is an account I use for commercial sites I expect to spam me, so the spam filters on it are already set to "kill everything"

      3. Sgt_Oddball Silver badge

        Re: catalogue shopping

        I feel an experiment coming on....

        Amazon order confirmation.

        1# Cat

        2# Geiger counter

        3# Radio isotope

        4# Hydrocyanic acid

        5# Spring-loaded hammer

    3. Dan 55 Silver badge

      Re: I received this scam-like email - thanks for verifying El Reg

      Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain?

      Ages ago somewhere in My Account I stumbled across an e-mail marketing page, disabled every tickbox, and have never had a marketing e-mail since. I assume this is still present.

    4. CrazyOldCatMan Silver badge

      Re: I received this scam-like email - thanks for verifying El Reg

      I don't have a bloody cat, never had and never clicked on anything cat-like

      It's the universe telling you that you are missing something essential from your life..

      (Almost was late for work this morning - $YoungestCat decided that my lap was an appropriate place to curl up as I was eating breakfast..)

  4. N2 Silver badge

    Apology?

    No,

    Just shows what sort fo company they really are.

    Any small biz behaving like that would get fucked over by the ICO.

  5. Anonymous Coward
    Anonymous Coward

    AWS?

    Apparently even Amazon can't secure a bucket properly.

    1. Anonymous Coward
      Anonymous Coward

      Re: AWS?

      piss poor that they reference http not https too.

    2. Flywheel Silver badge

      Re: AWS?

      There's a Hole in My Bucket, dear Liza, dear Liza...

  6. Anonymous Coward
    Anonymous Coward

    Support denies it

    Just called their customer service after forwarding the email to their phishing address. They denied everything. Nice chap though.

  7. David Nash Silver badge

    Coincidence? Maybe not.

    I received a fake Amazon Marketplace email but it was obvious from the Subject and Sender that it wasn't real. It had [URGENT] in the subject which clearly marked it out as spam.

    I deleted without opening it. Maybe this was the source.

  8. I_am_not_a_number

    Amazon can't just brush it under the carpet now...

    Might be useful:

    Art. 82 GDPR Right to compensation and liability:

    "...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

    Data Protection Act 2018:

    Section 168:

    Compensation for contravention of the GDPR

    (1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.

  9. J J Carter Silver badge
    Trollface

    Nothing to worry about

    They were just releasing the names and addresses of well-behaved children to Santa & his elves to ensure a pressie was left in their sock by Amazon Prime.

    1. Aqua Marina Silver badge

      Re: Nothing to worry about

      He's making a list

      He's checking it twice

      He's gonna find out who's naughty or nice

      Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679

      1. LeahroyNake Bronze badge

        Re: Nothing to worry about

        Omg have another upvote ! Best post of the day by far ;D

      2. Steve Foster
        Childcatcher

        Re: Nothing to worry about

        Except that this would essentially fall under "legitimate interests", providing that he has made sure to do the proper notifications and publish an appropriate privacy policy.

        What, you deleted that email from Santa?

        1. I ain't Spartacus Gold badge
          Happy

          A synthesis of the two is needed perhaps?

          He's making a list

          He's checking it twice

          He's gonna find out who's naughty or nice

          Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679

          He has a legitimate interest if you're sleeping,

          He knows if you're awake

          He knows if you've been bad or good,

          And his privacy policy determines the next action he'll take

          ...

          So you'd better watch out.

          You'd better not cry.

          You cannot opt-out,

          I'm telling you why.

          Santa Claus has a legitimate interest in maintaining data on you and does not need to use the consent model of the GDPR.

          [sorry about the scanning.]

      3. Warm Braw Silver badge

        Re: Nothing to worry about

        Santa Claus is in contravention of article 4 of the General Data Protection Regulation

        That was originally the view of the German town of Roth too.

        Needless to say, the lawyers are already on the case.

      4. Anonymous Coward
        Anonymous Coward

        Re: Nothing to worry about

        Surely Santa is legally compliant?

        It's an opt-in list: if you don't write a letter to Santa in the first place, you don't (assuming that you have indeed been good) get any presents, right? Surely everyone knows that...?

        1. activereachmax
          Childcatcher

          Legal? Compliant?

          A hairy alcoholic (16.8 million litres of sherry in one night?) with a sock fetish, dressed by a corporate sponsor in the sugar industry, commits serial breaking and entry, to bring sweets and gifts to certain kids that he has assessed as "nice." And the authorities have done nothing *NOTHING!*

          Save us ICO - you're our only hope.

        2. Steve K Silver badge

          Re: Nothing to worry about

          In order to record goodness (or lack thereof) then he must already have a list (from previous mailings) and be retaining that information.

          1. Richard 12 Silver badge

            Re: Nothing to worry about

            The elves argue that the list is necessary to provide the service.

      5. Ian Emery Silver badge

        Re: Nothing to worry about

        DAMN, Earworm alert!!!

        Got that running around in my head now; but even just thinking it, my brain is falling over whilst trying to get the whole GDPR bit into the tune.

  10. Xenu

    Got one this morning. Asked amazon to clarify when it was leaked, and how many people saw it etc etc.... no reply.

  11. Aodhhan Bronze badge

    Apparently not responses from real Security Professionals

    I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.

    If you believe this looks phishy, then you're a ripe target for a well built phishing email.

    You're basically stating, if it looks professional and is well written, then the email is legit.

    Going off grammar or spelling is an method. Just look at the responses to this forum!

    In fact, you should treat all unsigned external emails the same. No matter how they look or are written.

    At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.

    If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.

    Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.

    In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019