File this under ‘assume everything you put online has been accessed in ways you wouldn’t want’. Wired reported this week on documents that demonstrate Amazon’s apparent fast-and-loose attitude to its own customers’ data:
In the name of speedy customer service, unbridled growth, and rapid-fire “invention on behalf of customers”—in the name of delighting you—Amazon had given broad swathes of its global workforce extraordinary latitude to tap into customer data at will.
It was, as former Amazon chief information security officer Gary Gagnon calls it, a “free-for-all” of internal access to customer information. And as information security leaders warned, that free-for-all left the company wide open to “internal threat actors” while simultaneously making it inordinately difficult to track where all of Amazon’s data was flowing.
It was seemingly a mess over there when it came to customer data on the retail (not AWS) side of the business:
Some low-level employees were using their data privileges to snoop on the purchases of celebrities, while others were taking bribes to help shady sellers sabotage competitors’ businesses, doctor Amazon’s review system, and sell knock-off products to unsuspecting customers. Millions of credit card numbers had sat in the wrong place on Amazon’s internal network for years, with the security team unable to establish definitively whether they’d been unduly accessed. And a program that allowed sellers to extract their own metrics had become a backdoor for third-party developers to amass Amazon customer data
It’s easy to say you protect customer data (as Amazon has done many times), but unless that protection includes strict internal policies on how it’s used there will always be weak points, or if you’re big enough, the possibility of gaping holes.
I worked at a bank on the customer service line briefly after I graduated from university. A popular (at the time) TV presenter called one day for help with their account and because I had to view their transactions, I got to see just how much this person was paid to present one of the biggest shows on British TV. Spoiler alert: it was a lot of money.
I’ve never shared with anyone who it was or how much they were paid because, well, it was confidential, but it was at that point I realised just how fragile personal data is.
Wired’s report about hasn’t really cut through into mainstream debate this week because personal data stories rarely do. Deep down, I think we all know that data is at risk but until someone starts sharing our purchase histories, salaries, and embarrassing messages on massive screens in city centres or all over the internet, we’ll be all too happy to turn a blind eye.