Amazon employees spied on shopping history of exes and celebrities, new report alleges

Millions of customers credit card information was also stoled insecurely, it is alleged

Adam Smith
Friday 19 November 2021 15:09

Amazon gave numerous employees ‘free for all’ access to customer information which allowed low-level workers to see personal shopping history of celebrities and people they were romantically involved with, a new report alleges.

It has been claimed that customer service representatives were given the ability to look up any user’s purchase history on command to ensure quick assistance. One former service representative told Wired that colleagues would look up the purchases of celebrities including Kanye West or Marvel actors – including sensitive purchases such as sex toys.

Other staffers recalled employees looking up the data of exes and girlfriends or boyfriends – despite this being forbidden by Amazon’s policies.

The report, from Wired and Reveal, is based on a series of six-page memos between 2016 and 2018 between numerous Amazon executives, internal Amazon documents dating back to 2015, and interviews with former, anonymous, staff.

The system that “allows associates to quickly work on behalf of Amazon customers … puts those same customers at risk from intentional abuse and unintentional exposure by employees and contractors who have been entrusted with elevated privileges”, an internal memo reportedly read.

“We strongly reject the notion that abuse of these privileges is ‘common.’”, an Amazon spokesperson told Wired.

Amazon’s vast company network was allegedly “put together with tape and bubblegum,” according to cybersecurity executive Gary Gagnon who was Amazon’s vice president of information security in 2016.

Gagnon says he made attempts to increase his security staff – having only 300 on a team he believed should be 1000-strong – but was pushed back by Amazon higher-ups who would not provide the resources because it would increase overhead costs.

“I would tell new hires, ‘Assume your budget is zero and go from there. Just be as frugal as you can,’” Ellie Havens, a former business operations manager on the security team, recalled.

In addition, the report alleges that up to 24 million American Express credit card numbers, and customer names, had also been stored in Amazon’s internal network where they could have been vulnerable to attack.

The security team allegedly said they were unable to say whether the details had been accessed or not, because their access logs only went back 90 days.

“We had no idea what the exposure actually was,” Gagnon says. “I was astonished by that.”

It is claimed that one of the causes of these issues was Amazon’s 3,300 teams’ tendency to copy data and store it in various locations, according to a 2018 security memo, resulting in a “mostly undocumented proliferation of copies of their required data sets.”

Even before then, an attempt to map all of Amazon’s data in 2016 by its security team reportedly proved impossible.

Amazon told Wired that “there is no evidence to suggest the data was ever exposed outside of our internal system in any way.”

Another reported scandal saw Chinese data firms been harvesting millions of customers’ information using a backdoor in a tool that allows third-party developers to look at their own metrics. Using AMZReview, a service advertised as a way for sellers to boost their Amazon rankings, third-part companies collected the ‘keys’ from 92 different sellers to unlock huge amounts of information without the knowledge of 16 million customers.

AMZReview gave sellers access the personal email address attached to customers – allegedly allowing them to target buyers leaving bad reviews and entice them to remove them with special offers – but these had allegedly been collected from “other open and breached sources”, Wired says.

One memo said that over half of the third-party developers the Amazon had researched were violating its terms of service. When Amazon discovered companies doing this, it claims that it cut them off; it also used an outside auditor to ensure companies complied with the rules.

“Across 25 years in business, Amazon has an exceptional track record of protecting customer data and has invested billions of dollars to build systems and processes to keep data secure”, an Amazon spokesperson told The Independent in an emailed statement.

“We have relentlessly high standards for security and privacy, and we continuously assess and implement new measures when we see opportunity to further strengthen our protections. The claims made in the WIRED story are based on information that is outdated and out-of-context and have absolutely no bearing on Amazon’s current security posture.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in