Amazon inadvertent disclosure of names and email addresses

Authored by Chris Dawson, Editor and Founder, Tamebay

Amazon have written to multiple users informing them that their real names and email addresses have been revealed to other users of the site in what Amazon are describing as an ‘inadvertent’ disclosure.

There’s no explanation of how long the data has been exposed or how many people the information was exposed to. It appears possible that this Amazon inadvertent disclosure was sellers data being exposed to consumers in which case some sellers might even rejoice as Amazon typically limit communications to their own messaging system.

Some sellers could be very happy that their email addresses were revealed if it results in a few consumers contacting them directly for future purchases but that’s not the point – the issue is that the data should have been kept secure in the first place. It also appears that the Amazon inadvertent disclosure may not be limited to UK users.

We’ve received copies of the email from users that received it (below) and the good news is that no passwords or other secure information were released and Amazon claim that the issue has been fixed.

So far, it’s not clear if this Amazon inadvertent disclosure has been reported to the ICO which it appears likely it should be under GDPR, but as Amazon haven’t revealed when they discovered the issue. Under GDPR rules, a company must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If Amazon take longer than 72 hours to report the breach then they will be expected to explain their reasons for the delay to the ICO.

If you received the email are are worried about it’s authenticity then yes it is genuine and there doesn’t appear to be anything you can do about it currently.

“Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,

Customer Service Department”

– Email from Amazon to those affected by the Amazon inadvertent disclosure

Amazon Statement

“We have fixed the issue and informed customers who may have been impacted.”   – Amazon

An Amazon spokesperson told us:

This was not a breach of our website or any of our systems.

Our website inadvertently disclosed email addresses and names due to a technical error that has been fixed.

We emailed customers out of an abundance of caution to let them know their name and email address was disclosed.