Cyber Incident Victim: Amazon.com Inc.
Date:
Oct 2020
Location:
United States of America
Summary
Amazon notified customers that an employee improperly shared their email addresses with a third party, violating company policies. The individual was terminated, reported to law enforcement, and the company supported criminal prosecution, confirming no additional account information was compromised. Security experts highlighted insider threats as a critical vulnerability, exacerbated by remote work environments and the challenge of preventing trusted employees from circumventing defenses, with incidents potentially driven by external financial incentives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, Amazon notified customers via email that an employee had improperly disclosed their email addresses to an unauthorized third party in violation of company policies. The breach occurred when the insider accessed and shared this customer data without authorization. Amazon confirmed the employee involved was terminated following the discovery of the incident and that law enforcement authorities were notified. The company emphasized that no additional account information—such as payment details, physical addresses, or passwords—was compromised. Affected customers were informed the disclosure was not due to any action on their part and were advised no remedial steps were required. Amazon issued a public apology for the incident in the notifications.
In subsequent statements to media outlets, including Vice Motherboard, Amazon revealed multiple employees were fired in connection with the incident and that the company was supporting criminal prosecution of the individuals involved. Security experts cited in reports highlighted the broader challenge of insider threats, noting that employees with legitimate access can bypass external security measures. DomainTools researcher Chad Anderson referenced a contemporaneous attempted Tesla ransomware case to illustrate how threat actors increasingly offer financial incentives to compromise insiders. Code42 CEO Joe Payne linked the incident to heightened risks associated with remote work environments, where organizations rely on decentralized technology setups. Code42’s internal data indicated routine employee file exposure events, underscoring persistent vulnerabilities even with security controls. Amazon did not disclose the number of affected users, the duration of unauthorized access, or the identity or motives of the third-party recipient. The company maintained its standard incident response protocol of termination, legal referral, and customer notification without implementing additional public safeguards beyond existing policies.