In an effort to address its customers' requests quickly, Amazon reportedly put millions of them at risk. The company has allowed its workforce to abuse its access to large quantities of customer data, and has missed large outside security risks, a Wired investigation found.
Amazon's meager internal security system allowed lower-level employees to snoop on customer purchases, accept bribes from sellers to sabotage their competitors and tamper with customer reviews. The company reportedly had no system in place to prevent employee security risks; Amazon's former CISO, Gary Gagnon, called it a "free-for-all."
Its security system also lets outside threats slip through the cracks. According to the investigation, Amazon's seller metrics program gave third-party developers the ability to hoard customer data, including a Chinese data firm which stockpiled the information of millions of its users. Around 24 million American Express card numbers and names lived in an unsecured spot within Amazon's system for two years too, with no way for the security team to check if the data was improperly accessed.
The company's strapped information security staff may have been part of the problem, as its team of 300 couldn't keep track of the tens of thousands of terabytes of user data.
Amazon spokesperson Jen Bemisderfer told Wired in an email that the company has "an exceptional track record of protecting customer data. The fact that Amazon's privacy and security issues are extensively documented with extensive review from senior leadership highlights our commitment to these issues and demonstrates the vigilance with which we identify, escalate, and respond to potential risks."