• by Laurie Sullivan , Staff Writer @lauriesullivan, November 29, 2021

Amazon mishandled customer data for years, according to a recent report, putting into question whether the advertising industry should create a high-security data protocol and certification clearance for employees who work at companies that handle mounds of consumer data.

Analysis of internal documents by Will Evans at Reveal from the Center for Investigative Reporting, published in Wired, points to how employees abuse customer data, stalk celebrities, and do little to plug major leaks.

The certification clearance, similar to a top-secret government clearance, would reduce or eliminate certain instances of data mishandling found in the report.

The report describes search data, purchase data, what people watch, medicines and supplies bought, what's said to Alexa, and images of people at front doors. The data has become "sprawling, fragmented, and promiscuously shared within the company that the security division couldn’t even map all of it, much less adequately defend its borders," according to the report.

The amount of data is staggering. For two decades of its early history, Amazon, like many companies, outsourced the storage of its data to third-party contractor Oracle. By the mid-2010s, Amazon’s data warehouse had ballooned to become the biggest Oracle database in the world — as much as 1,000 times bigger than any other, according to one Amazon estimate. It held 50,000 terabytes of information.

In one instance, several years later, the report suggests Amazon employees might use their data privileges to snoop on purchases, including sex toys, of celebrities like Kanye West as well as movie stars from the Avengers films.

The report shows many instances of how Amazon’s global workforce has failed to secure and protect one of the largest collections of customer data worldwide, and offers details on instances of bribery, voyeurism, and major security breakdowns such as Cambridge Analytica-like snafus that gave a Chinese data firm access to millions of customers’ information.

Employees also used their data privileges to help sellers sabotage their competitors’ businesses, and take bribes in exchange for their services.

One seller “recruited [Amazon] employees over LinkedIn and Facebook,” according to the report, citing a memo, and paid out approximately $160,000 to employees more than a series of years.

The data includes customer purchase histories available to Amazon’s global customer-service team, with little security or supervision.

Although Amazon is often ranked as one of the most trusted brands, internal documents reviewed in this report -- as well as interviews with current and former employees -- trust is lacking where personal data security and privacy are concerned.

One former Amazon chief information security officer acknowledged in a memo that the company lacks “visibility into the data we’re charged with protecting. We do not systemically know the data flows and storage locations of sensitive data.”

In one example, the names and American Express card numbers of up to 24 million customers were exposed for two years on Amazon’s internal network, outside a “secure zone” for payment data, with the security team unable to determine definitively whether they were unduly accessed.

In May 2018, not long before a September hearing before the U.S. Senate Commerce Committee on the safekeeping and privacy of customer data, Amazon discovered that a Chinese data firm had been harvesting millions of customers’ information in a scheme similar to Cambridge Analytica.

The Amazon team investigated and found the external firm accessed all of that customer data. AMZReview, which Amazon determined was an offshoot of a Chinese data analytics firm, took advantage of an Amazon program that allowed individual third-party sellers to extract their own customer metrics from Amazon's interface, using a special access key.

AMZReview realized it could collect these access keys — and data on millions of customers — from a host of sellers. Amazon's program had become a backdoor for shady operators to amass Amazon customer data.

Despite the data security issues, Amazon has “invested billions of dollars over the years to build systems and processes to keep data secure, and are constantly looking for ways to improve.”

To the company’s credit, in 2018 a set of managers inside the information security division got together to quantify their alarm over the biggest dangers Amazon was facing. They created a maximum "risk score" for any given danger up to 125.

They assessed the danger that breaches at Amazon could “go unnoticed” due to “limited detections, alert fatigue, and manual effort;" that company's “lack of visibility into systems and networks” would create an “inability to detect security incidents;” that the company had an apparent “inability” to protect secret credentials and keys that could unlock sensitive data; and that it had an “inability to identify the location of data.”

Every one of these dangers scored a 125/125.