The Anatomy Of Amazon Data Breach Explained
Table of Contents
- Amazon Data Breach of 2019
- How to Find Out About Your Amazon Account Data Breach?
- Who to Contact and What to Do if Your Info Was Compromised in Amazon Data Breach
- Zappos Breach Finally Settled
- Amazon Emails Leaked in 2020
- Twitch Data Lost in 2021
- Can My Personal Information from Amazon be Used for Identity Theft?
- How to Prevent Data Breach
- By David Lukic
- Published: Aug 05, 2020
- Last Updated: Nov 23, 2023
Along with being an online merchant, Amazon also supplies cloud servers to some heavy hitters in the financial, electronics, government, and technical industries. Unfortunately for Amazon, the Capital One data breach in July of 2019 also became an Amazon data breach.
Although Amazon has done its best to distance itself from the incident, the perpetrator who hacked the server was a previous Amazon employee, complicating the equation.
Amazon Data Breach of 2019
The Capital One data breach was devastating to 100 million customers whose names, social security numbers, credit scores, and credit card data were stolen. It is understandable why Amazon wouldn’t want any of the responsibility placed at its door.
The data breach was blamed on a misconfigured firewall used on the Amazon AWS server. A top cybersecurity privacy officer, Mark McCreary, agrees: “You need to configure the security correctly. Somebody made a mistake. This is not Amazon’s fault.” Amazon maintains that the security of the cloud server remained in-tact while the system built upon it was what was breached.
The Capital One data breach that was linked to Amazon took place in July of 2019. However, The Guardian reported an actual Amazon data breach in November of 2018 when customer’s names and email addresses appeared on the Amazon website by mistake.
However, this was later reported by Amazon to be a glitch in the software, not an intrusion by a third-party. The issue was quickly fixed, and Amazon didn’t explain in detail what happened, they simply referred to it as a “technical issue.” It is unclear how many users were affected.
Class Action Settlement
The Capital One data breach sparked a class action lawsuit that enveloped Amazon as co-defendants. Amazon and other charged companies were required to pay for and implement specific cybersecurity measures, including:
- Strengthening cloud governance practices
- Enhancing threat detection and vulnerability management
- Improving training for cybersecurity analysts
- Improving existing restrictive access to information
Apart from cybersecurity improvements, Capital One raised a settlement fund of $190 million for any damaged parties. This money went to anyone who could reasonably trace their losses to the data breach and included losses from:
- Identity Theft
- Identified Fraud
- False Tax Returns
- Or “Other Misuse of Personal Information”
If you’re looking for reimbursement in this case, make sure you’ve documented your circumstances. This includes the receipts from any services you hired, or time spent rectifying damages. Anyone claiming lost time should be ready to detail the actions they took, how long each step required, and if any of these actions required them take any type of leave from work.
Additionally, any losses must have been incurred on or after March 22, 2019.
Paige Thompson Convicted in the Summer of 2022
It was only last year that a former Web Services (AWS) employee was found guilty of infiltrating Amazon’s servers during the 2019 data breach. Paige Thompson, also known under the username “Erratic” on hacking forums, was convicted of seven counts of fraud by a US District Court in Seattle.
The punishment can be up to 20 years in prison.
The Department of Justice reported that Thompson wrote a program that scanned Amazon’s servers for security misconfigurations in cloud-based storage. She used the misconfigured accounts to gain further access to Capital One and install crypto-mining malware that would deposit earnings into her online accounts.
The bizarre part of the situation was how openly blatant Thompson was of her actions. She took to various sites and communities, including GitHub forums, and admitted to stealing the information. Her defense attempted to use this information to argue her position as an “ethical hacker.”
Ethical hackers probe security systems for weaknesses. Many companies hire ethical hackers to stay protected against the most current attack patterns used by black-hat hackers. The Computer Fraud and Abuse Act (CFAA), implemented on May 19, protected ethical hacking.
However, Thompson publicized private information online, which was enough to convince people of her intentions behind the attack.
Thompson was ultimately given a sentence of time served and five years in probation. She spent 100 days in jail and would perform a minimum of 50 hours of community service for each year of her probation. This sentence considered the limited impact of her hacking and mental health problems.
How to Find Out About Your Amazon Account Data Breach?
Capital One notified all affected parties by email or mail directly after the incident occurred. The perpetrator, Paige A. Thompson, an ex-Amazon employee, was arrested by the FBI. You can visit the page set up by Capital One to check to see if your data was breached or contact them via phone at 1-833-727-1234 for more information.
Who to Contact and What to Do if Your Info Was Compromised in Amazon Data Breach
Some of the information breached was social security numbers, credit card data, and banking information. So, if you were affected, the first thing to do is close those accounts and re-open new ones or have Capital One issue you new cards and numbers. It’s also a good idea to enable a credit freeze so no one can open up any new accounts in your name. You may want to consider a credit monitoring service like IDStrong.com, as well. Additionally, you should take these steps:
- Watch out for phishing scams and never click any links within email or download attachments.
- Scan your computer for viruses and malware.
- Change all your bank account and credit card logins and use strong random passwords (with a combination of letters, numbers, and symbols).
Zappos Breach Finally Settled
An older data breach case from Amazon reached an anti-climactic conclusion in 2019.
Zappos, an Amazon-owned fashion retailer, experienced a massive data breach in 2012. The incident lost the names, addresses, passwords, and credit card numbers of 24 million accounts. This made it one of the most significant breaches to date.
While it’s common for corporate lawsuits to run for many years, Zappos’ case was out of the ordinary. After seven years and multiple attempts by Zappos to throw out the case, the final punishment can barely be called a slap on the wrist.
Settled in the US District Court of Nevada in 2019, Zappos was ordered to distribute a 10 percent discount code among affected customers. This code was applicable within 60 days of distribution or by the end of the year, whichever came later. Zappos sent out an email to affected customers, but the actual cost of the promotion was never disclosed.
This light sentencing was due to several factors, including Zappos’ continued denial of wrongdoing. The company also denied its role in the loss of complete or partial credit card numbers. Although, Zappos did agree to pay up to $1.6 million in attorney fees for the plaintiffs.
Despite the settlement looking more like a marketing ploy than a sanction, the seven-year case did have certain long-term effects.
Zappos submitted a plea to the Supreme Court that would require customers to prove they were harmed in a breach. The appeal was denied setting a precedent for future cases.
Today, Zappos has dedicated a section of its FAQ to recognizing and stopping various cybercrime strategies.
Amazon Emails Leaked in 2020
In October 2020, Amazon announced that it had fired an employee for sharing customer email addresses with outside organizations. Ironically, Amazon sent the announcement to affected customers through email.
A similar event occurred earlier in the year when Amazon fired multiple employees for leaking customers’ phone numbers and emails. Amazon didn’t disclose the extent of the damages in either case and refused to comment further.
This isn’t the first time Amazon’s security measures surrounding employees have been lacking. Former low-level employees have admitted to snooping on the buying histories of actors, musicians, and even ex-partners.
Twitch Data Lost in 2021
Amazon’s most recent data breach came from their live streaming platform, Twitch. The service announced an error in its servers that allowed a hacker to access private account information.
Since the streaming platform includes paid subscription services, it potentially affected the financial information for viewers and streamers. In response, the company reset the broadcast keys allowing streamers to go live and interact with their audiences.
Twitch later announced that there’d been no evidence of leaked login credentials and that their servers didn’t store complete credit card information. However, over 100GB of files were posted to 4chan the following Wednesday.
Leaked data included internal documents, source code, and security information and exposed the earnings from the platform’s highest-paid streamers.
The 4chan user described the Twitch community as a “disgusting toxic cesspool,” and claimed they intended to “foster more disruption and competition in the online video streaming space.”
This wasn’t the first time that Twitch was called out for toxicity. Many accused the platform of promoting only “white-cis-hetero-male” streamers.
Can My Personal Information from Amazon be Used for Identity Theft?
The information breached from the Amazon server in the Capital One incident is very damaging and more than enough for a hacker to use to steal your identity. Sometimes these criminals will use only your name and email and contact you through email pretending to be Amazon or Capital One and hope that you click a link that infects your computer with malware so they can steal even more information or take control of your computer. Sometimes they demand that you click a link to go to a spoofed website where you enter your login or other details to “validate your account,” and then that information is in the hands of the cybercriminals.
How to Prevent Data Breach
Although there isn’t anything we can do to protect all the websites and companies where our personal information resides, there are some tips we can take to keep our private information private and our stuff safe. Also, using identity theft protection service will be very helpful.
- Never give out your personal details unless you initiate the call or action.
- Always keep your computer antivirus updated and run deep scans often.
- If, after this Amazon data breach, you received any suspicious sounding email from Capital One, forward them to abuse@capitalone.com.
- Consider freezing your credit to prevent any new accounts from being opened in your name.
- Routinely monitor your credit reports, bank, and credit card statements.
- Be on the lookout for phishing scams, and use common sense when opening emails.