YOUR ORDER HISTORY. Your credit card information. Even your intimate health data.
Amazon is amassing an empire of data as the online retailer ventures into ever more areas of our lives. But the company’s efforts to protect the information it collects are inadequate, according to insiders who warn the company’s security shortfalls expose users’ information to potential breaches, theft and exploitation.
The warnings about privacy and compliance failures at Amazon come from three former high-level information security employees — one EU-based and two from the U.S. — who told POLITICO they had repeatedly tried to alert senior leadership in the company’s Seattle HQ, only to be sidelined, dismissed or pushed out of the company in what they saw as professional retaliation.
The EU-based employee is fighting the terms of their departure from Amazon through European courts. All three spoke on condition of anonymity out of concern they could face retaliation or difficulties in the job market for discussing the details of non-public legal proceedings.
Put together, their accounts paint a picture of a corporate culture at Amazon that they say prioritizes growth over other factors, such as the security of customers’ information, compliance with rules designed to safeguard that data and the careers of employees the company hired specifically to flag problems.
“Imagine if a company the size of Amazon had a breach? The issue is millions of people’s personal identifiable information is at risk,” the first former U.S.-based information-security employee said.
A spokesman for Amazon said that maintaining customers’ trust by protecting their privacy and ensuring the security of their data is a “long-standing top priority” for the company.
“These inaccurate, unsubstantiated and dated claims don’t reflect our commitment to keeping personal information safe. Amazon has comprehensive, long-established privacy and security policies, procedures and technologies in place. We regularly audit our services to ensure compliance and have zero tolerance for employees at all levels who do not follow our policies,” he said.
At a time when lawmakers and government officials are ramping up scrutiny of tech companies on both sides of the Atlantic, the employees’ complaints are likely to strike a chord with regulators.
While Amazon has faced plenty of heat over its labor practices — including alleged efforts to suppress union activity at its warehouses — its handling of data has received less attention.
Yet the company is one of Big Tech’s most powerful players when it comes to data, thanks to the hoards of customer information it collects via its e-commerce platform, its online advertising business and its gigantic cloud computing arm, Amazon Web Services.
Garfield Benjamin, a British academic who has previously written about Amazon’s privacy lapses, said that the company’s “disregard for privacy and security” was indicative of a “big problem.”
“It seems bizarre — although perhaps unfortunately all too common — that a company so intent on making data its primary business should have such poor practices,” Benjamin said when shown POLITICO’s findings. He added, “Is their hubris so great, their assumed power so unassailable, that they see themselves as completely untouchable?”
The consequence for consumers is more than potential loss of trust in Amazon’s privacy and security practices. The company’s practices leave it vulnerable to potential breaches or hacks that could put highly sensitive information into the hands of malicious actors.
The data Amazon holds includes order history, payment information, data collected through its advertising business and, for sellers on its platform, forms of identification. In the wrong hands, it could be held for ransom against the threat of online publication; deployed to defraud people; used to get access to other online accounts; or leveraged in phishing attacks in which stolen data is used to trick victims into paying a fee or revealing even more sensitive information.
More broadly, the accounts raise questions about what corporate values are rewarded at a company that has risen quickly to become the world’s dominant e-commerce player.
ACCORDING TO THE TWO U.S. information-security employees, data is at risk because Amazon has a poor grasp of what data it has, where it is stored and who has access to it.
“If you wanted to do a ‘right to be forgotten,’ it would be next to impossible for Amazon to identify all of the places where your data resides within their system,” said the first former U.S.-based employee. The right to be forgotten, or right to have data erased, is a key tool for citizens under several privacy regimes, including in Europe and California.
The second U.S.-based information-security professional confirmed Amazon’s shaky understanding of what reams of personal information it holds. “Amazon has grown so fast, it doesn’t know what it owns … They don’t know where their data is at, so they don’t know if they are protecting it correctly,” the person said.
The company’s track record on key data-security principles — controlling who has access to what data, patching vulnerabilities, ability to detect hacks, even whether passwords are changed regularly — came in for particular flak from all of the insiders who, together, have decades of experience in the area of information security.
“The quality of the controls that Amazon has in place is appalling. We found hundreds of thousands of accounts where the employee is no longer there but they still have system access,” said the first former U.S.-based employee, adding that such a vast number was possible because of Amazon’s massive workforce and rapid staff turnover. Amazon said it has strict procedures in place when employees leave the company that remove their access.
Amazon has struggled to patch vulnerabilities in its systems. According to internal security reports from 2016 and 2017 seen by one of the former employees, the company declared that it was managing to patch between 55 to 70 percent of its systems. The first former U.S.-based employee likened that to leaving a house with several windows and doors open.
“Amazon’s information technology general controls, considering my experience and where I’ve been in the past, would not have passed muster with most auditors,” the first former U.S.-based employee said. “They were just poorly managed.”
Weak controls mean the company may not even detect a hack. An internal Amazon memo seen by one of the former employees from June 2018 deemed there was a “very high” possibility of critical financial loss or reputational damage to the business because of the company’s “inability to identify adversarial events.”
Amazon said it was not aware of the reports and does not believe the claims to be accurate. It said that any historic concerns that are flagged through routine internal reporting would be fixed, which is the purpose of these processes.
The second former U.S.-based employee confirmed that Amazon fails to properly control access to systems, and that, in a company whose workforce has grown to more than 1 million, reams of personal information are accessible to people who do not have the appropriate role or responsibility.
“You’ve got tens of thousands of … teams connecting to big data,” said the second former U.S.-based employee. “You should have a way to follow all the different types of data. From a technology point of view, you need to know where the data is going and how it’s being protected. That does not exist,” they said.
The former employees were careful to distinguish between issues around Amazon’s internal approach to data compliance and the company’s leading track record in data-security engineering — visible through the products and services developed by AWS.
AWS’s cloud computing products are used by the likes of the U.S. government, and are widely seen as world-beating in terms of data security. One ex-employee described the security tools at Amazon’s disposal as “second to none,” but they said the strength of AWS tools in keeping systems secure is still dependent on how the end user applies them. They also noted that AWS is largely run separately from the rest of the company.
The issue, they said, is that Amazon’s data-security capabilities are undermined by the willingness of the company to override internal controls.
For instance, according to two of the former information-security professionals, data needed for new projects was sometimes improperly classified so that it would go through fewer internal checks.
The company said this is false. A spokesperson said it has comprehensive privacy and security policies, procedures and technologies in place that are observed by executives at all levels. The company regularly audits services to ensure compliance and employees may not be involved in decision-making outside of their role’s remit.
EUROPE’S DATA-PROTECTION RULEBOOK, the General Data Protection Regulation (GDPR), is credited by many for putting privacy on the agenda — especially within company boardrooms, where the fines of 4 percent of global turnover introduced by the legislation are often perceived as an existential threat.
Even so, it was only in late April 2018 — weeks before the regulation came into force — that Amazon created a dedicated team in the information-security department to address the incoming regulation. “The organization was woefully behind,” said the first former U.S.-based employee. Amazon said it had long-standing privacy and security teams and made a standard organizational change to centralize privacy resources in 2018.
The former EU-based employee and others had made numerous attempts to highlight Amazon’s GDPR risk and compliance gaps well in advance of the May 2018 deadline, only to be knocked back, according to two of the former employees.
Documents and quarterly reports sent to senior executives — including Jeff Wilke, the CEO of Amazon’s worldwide consumer business, General Counsel David Zapolsky and Chief Financial Officer Brian Olsavsky — laid out the firm’s GDPR risks and gaps, as well as many of the issues detailed in this article. Amazon said the allegations appear to refer to regular reporting that any responsible company would engage in to keep leadership apprised of important issues, and demonstrates that it correctly provides updates to leadership.
The EU-based former insider was among several information-security employees who repeatedly escalated the risks the company faced in failing to meet EU data-protection standards, according to two of the former employees and legal documents seen by POLITICO.
The EU-based employee is currently in legal proceedings about the terms of their departure in a Luxembourg court. Another security professional settled with the company after being told by the senior leadership of the Amazon legal department to “stand down” because that person’s efforts to highlight GDPR compliance issues did not meet whistleblower-level requirements, according to legal documents and the first U.S.-based former employee. Amazon said it can’t comment on individual employees but that it disputes that anyone was prevented from sharing concerns.
Those hoping that tough EU regulators stand ready to take Amazon to task over any data abuses risk disappointment. More than two years after GDPR came online, Amazon’s lead regulator in Europe, Luxembourg’s data-protection authority, has yet to issue a single fine — against anyone.
A commissioner at the Luxembourg authority said in late December that they were barred from saying how many investigations they have against Amazon by local law, but said that the first fines would land before the end of 2020. A spokesperson at the agency said in January the first fines would land “very soon.”
THE EU-BASED FORMER EMPLOYEE also raised the alarm over Amazon’s compliance with myriad other EU and Luxembourg rules.
Amazon leadership in Seattle undermined the former EU employee’s ability to act as an internal control function in violation of its regulator-approved governance model for the business unit in Luxembourg, two of the former employees said.
For instance, email chains seen by POLITICO show Amazon leadership in the U.S. saying they would need to approve and have the final say on audit commitments for the Luxembourg-regulated entity, in violation of requirements to retain decision-making within the control functions of the unit.
Other email chains show management in Seattle granting itself permission to review and approve access to data requests for the Luxembourg unit that should have been handled by local employees, according to internal policies and regulatory requirements.
The former EU-based employee also ran into trouble when trying to hire team members. They were first told that they must hire into the Seattle office if they wanted to increase headcount, even though the new recruits would be working on European matters for the Luxembourg regulated entity.
“I thought at first it’s a joke … It’s a different time zone and a different culture. The term ‘personal data’ for instance means something different in the U.S. to Europe,” the former EU-based employee said.
In another instance, email chains show that Amazon’s Seattle leadership changed an employee’s contract so that they would be contractually barred from handling sensitive matters for the Luxembourg unit, against the wishes and without the knowledge of the EU-based employee in charge of the team and in violation of policies and regulatory requirements.
The EU-based employee said they felt action like this was designed to undermine and starve the local team of resources.
Amazon rejected the claims and said it has strong and appropriate controls that abide by EU and Luxembourg regulations, which it regularly reviews to ensure it has the right teams and resources in place. It said that where appropriate, concerns are escalated to the company’s head office, showing how seriously it takes information security. It said there is no requirement that all staff need to be in the EU and where this is required the company abides by relevant rules and regulations.
But, according to accounts by the former U.S. employees, being undermined as a line of control in the e-commerce giant’s governance model was not isolated to Luxembourg.
“I was championing a number of issues that my team was raising … and multiple times, we were overwritten. Sometimes, to the point where … inaccurate or incomplete reports were sometimes submitted to regulatory authorities,” said the first former U.S.-based employee.
The employee added that information was kept from them by senior leadership, hampering their ability to report properly to regulators. In one case, they said they were told only after regulatory filings were completed that the company had been inappropriately monitoring systems for two years.
Both former U.S.-based employees were told at one point by their direct management to “stop looking for problems,” even though they were required to do exactly that under multiple laws, regulations and industry requirements and despite the fact that they could be personally liable for issues.
All three employees said they felt they would be kept out of the loop so that they couldn’t raise issues or even perform their roles as a control function in Amazon’s governance model. They would find that they hadn’t been invited to meetings, hadn’t been asked to contribute to reports or hadn’t been given the right information.
A spokesperson for Amazon said employees were not sidelined, but were expected to work within their agreed remit.
AMAZON PUTS GREAT STOCK in its 14 “leadership principles,” which every employee is supposed to follow, and against which they are measured. The principles include “customer obsession,” “are right, a lot,” “frugality” and “earn trust.” All the former employees said they felt those principles were used against them in retaliation for highlighting issues with compliance or security.
For instance, those seeking funding would sometimes come up against senior managers citing the need for “frugality.”
All the former employees said that securing resources to fix issues was tough and that projects would sometimes get shut down or deprioritized halfway through because it would be deemed that the problem was too large.
For example, an initiative to automate access to data and system controls was “severely underfunded,” said the first former U.S.-based employee. The second U.S.-based employee recounted being told by their manager that the system they were trying to secure was “too big.”
Each of the employees who spoke to POLITICO said they had been sidelined or eventually forced out because they had raised concerns about the state of the company’s data security or its ability to comply with regulations.
They said reprisals intensified after attempts to use multiple avenues to escalate their concerns.
The second U.S.-based ex-employee flagged an insecure payments encryption protocol in 2014 only to have to re-raise the issue in 2016 and then again in 2018 before it got fixed. In that case, Amazon had successfully lobbied the standards body to get a two-year extension to fix the issue. An internal statement at the time said that to get the fix done on time would have meant stopping payments in a significant number of developing markets.
“We had an insecure vulnerability that we knew about for five years,” the second former U.S.-based employee said. “That’s unacceptable. I mean, we knew about it.”
The employee said that they were told they weren’t a “team player” and had not “earned trust” for raising issues.
Other Amazonian cultural keystones were also used against them, all the former employees said. The former EU-based employee was told they were not “customer obsessed” because their insistence that data be encrypted would have delayed a project, even though encryption was a legal requirement.
The second U.S. former employee said they would be put to work on projects that were below their pay grade, only tangentially linked to the role they were hired for, or told to stop working on projects that had identified issues. This mirrored an account of another employee recounted in legal documents seen by POLITICO.
A spokesperson for Amazon said that no employees left the company because they had raised concerns around data-security regulatory compliance. They said the claims appeared to come from employees who had ongoing performance issues at the company and decided to leave.
ALL THE EMPLOYEES WHO SPOKE TO POLITICO attributed the company being unwilling to fix issues or deliberately hiding them most directly to a strata of management that sits between the highest levels of the company — which includes vice presidents, senior vice presidents and Jeff Bezos himself — and the rest of the company.
They said that a “cut throat” competitive culture meant that there was jostling in the mid-level layer directly above them for promotions and funds. This meant that there was pressure to report wins over losses and downplay issues within the company — as well as to regulators.
“We were seen to be undermining portions of the organization by saying, ‘Your baby’s ugly,'” said the first former U.S.-based employee. “We were saying we can’t meet this regulatory requirement because we know we can’t do this, and individuals responsible for those things take offense.”
Nevertheless, the former EU-based employee and the first former U.S.-based employees felt their experiences indicate that the problem goes deeper than that mid-level layer of management.
“I gave Amazon every chance to show me it wasn’t the case … by escalating to various internal control functions within the company, by escalating to the global risk-management committee of the company and finally by engaging formal procedures. They could have come back and said, ‘Hey look, we agree there’s a problem, we will work on solving it,’ but they didn’t. Instead they asked me to leave the company,” said the former EU-based employee.
Amazon engaged in the “systematic eradication” of those who raised compliance issues, said the first former U.S.-based employee. “The organization eats its own to quiet the noise of these issues. And then papers over them,” they said.
The second U.S.-based former employee said that a company of Amazon’s stature should have top-level data security. “A little slipup in Amazon is losing hundreds of thousands, if not millions, of people’s data,” they said. “There’s no excuse for a company that is profitable in the numbers we’re talking about.”
CORRECTION: This story has been corrected to clarify that the EU-based employee is contesting the terms of their departure, not their dismissal.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial. Source