Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities.
Emails sent from Amazon’s UK tentacle informing users that the online sales site had “inadvertently disclosed [their] name and email address due to a technical error”.
The email from Amazon, which included an HTTP link to its website at the end, read:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely, Customer Service
Amazon’s UK press office acknowledged that the email was genuine, saying only: “We have fixed the issue and informed customers who may have been impacted.”
The company did not confirm as to how many customers had been affected, whether it had informed the Information Commissioner’s Office, what the cause of the breach was or how or when it had been spotted.
Amazon’s UK press office eventually reported that this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.
The ICO responded, “Under the GDPR,” said the data protection regulator, “organisations must assess if a breach should be reported to the ICO, or to the equivalent supervisory body if they are not based in the UK. It is always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. The ICO will however continue to monitor the situation and cooperate with other supervisory authorities where required.”
Meanwhile, Amazon’s customer service department initially thought the firm’s own notification email to affected customers was a phishing attempt. A suspicious recipient, wondering whether the shonky-looking email was legitimate, sent it to Amazon customer services asking whether it was real, and got the response: “The e-mail you received wasn’t from Amazon.co.uk, and we’re investigating the situation … We can’t tell how phishers came to target your e-mail address.”