Amazon confirms employee data exposed in third-party data breach: What we know

Amazon confirms a data breach involving employee contact details through a third-party vendor, assuring that no sensitive data was compromised and its systems remain secure.

In Short

• Amazon confirms employee data breach via third-party vendor: What we know
• The breach is linked to the MOVEit hack, impacting multiple organisations.
• Incident highlights security risks associated with third-party vendors for large companies

Amazon recently confirmed that some of its employee information was exposed in a data breach involving one of its third-party vendors. According to a statement given to TechCrunch, Amazon assured that its own systems remain secure, and the breach was limited to work-related contact details, like employee work emails, desk phone numbers, and building locations. No sensitive information, like Social Security numbers or financial data, was compromised. Although the vendor’s security vulnerability has since been fixed, Amazon didn’t disclose how many employees were affected.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations,” Montgomery, the Amazon spokesperson told TC.

The breach, reported by TechCrunch, has sparked renewed concern about the security risks linked to third-party vendors. This incident appears to be part of a larger wave of cyberattacks, known as the MOVEit breach, that exploited a security flaw in a popular file-transfer software. During this breach, hackers accessed massive amounts of data from several high-profile organizations. A hacker who goes by “Nam3L3ss” claims to have posted over 2.8 million lines of data from multiple organizations, including Amazon, on BreachForums, a well-known website in the hacking community.

The MOVEit hack was among the most damaging cyberattacks of 2023, affecting hundreds of companies and government bodies. For example, in the U.S., the Oregon Department of Transportation lost 3.5 million records, and a government contractor, Maximus, had 11 million records compromised. A group called Clop, known for using ransomware to hack and blackmail organizations, is suspected of being behind this attack.

What makes incidents like this particularly concerning is that they reveal a growing challenge for companies relying on third-party services for data management. While Amazon’s own systems were secure, they still faced the impact of their vendor’s security issues. When companies use third-party providers, they extend trust to these external systems, often without full control over the provider’s security. This incident shows the risks that come with relying on outside vendors and the importance of checking that their security practices are robust.

For companies and employees alike, this breach highlights the need for vigilant data protection at every step. When organizations outsource parts of their operations, they should make sure that vendors follow strict cybersecurity practices and conduct regular audits to check for weak spots. As businesses continue to rely on external providers, the need for a solid partnership that prioritizes security is critical to protect both company and personal data.