Amazon has confirmed that customers’ names and email addresses were exposed as a result of a technical error on its website.
The online retail giant, which is gearing up for the Black Friday shopping bonanza, denied that the disclosure was the result of a cyber attack.
But it has refused to answer questions about who the personal data was disclosed to or whether it had informed the Information Commissioner’s Office.
In a statement shared with NS Tech, an Amazon spokesperson said “we have fixed the issue and informed customers who may have been impacted”.
Sign up to Emerging Threats, our weekly cyber security newsletter
As The Register first reported, the company started sending emails to affected customers earlier this week, stating: “We’re contacting you to let you know that our website inadvertently disclosed you name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
Under the EU’s new data protection legislation, companies are mandated to disclose major breaches to data protection regulators.
“It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” an ICO spokesperson said in a statement. “The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”
While Amazon said affected customers did not need to take any further action, security specialists warned that they should change their passwords as hackers could use the exposed data maliciously.
Richard Walters, the chief technology officer of CensorNet, warned that the greatest risk is of brute force attacks.
“Criminals use a leaked email address and common password combinations to try and break into other personal accounts,” he said. “A large majority of people still use predictable passwords, and thanks to previous high-profile breaches many people’s passwords are also readily available on the dark web.”
A recent CensorNet study found that a quarter of UK adults may use use their work email addresses for personal accounts. “This means the criminals can potentially use the same brute force technique to break into work networks, which is often far more valuable for the criminal than one person’s account,” Walters added. “If you’ve been effected, make sure you change your passwords quickly on all services you use, both work and private.”