22 November 2021

Amazon's Dark Secret: It Has Failed to Protect Your Data


ON SEPTEMBER 26, 2018, a row of tech executives filed into a marble- and wood-paneled hearing room and sat down behind a row of tabletop microphones and tiny water bottles. They had all been called to testify before the US Senate Commerce Committee on a dry subject—the safekeeping and privacy of customer data—that had recently been making large numbers of people mad as hell.

Committee chair John Thune, of South Dakota, gaveled the hearing to order, then began listing events from the past year that had shown how an economy built on data can go luridly wrong. It had been 12 months since the news broke that an eminently preventable breach at the credit agency Equifax had claimed the names, social security numbers, and other sensitive credentials of more than 145 million Americans. And it had been six months since Facebook was engulfed in scandal over Cambridge Analytica, a political intelligence firm that had managed to harvest private information from up to 87 million Facebook users for a seemingly Bond-villainesque psychographic scheme to help put Donald Trump in the White House.

To prevent abuses like these, the European Union and the state of California had both passed sweeping new data privacy regulations. Now Congress, Thune said, was poised to write regulations of its own. “The question is no longer whether we need a federal law to protect consumers' privacy,” he declared. “The question is, what shape will that law take?” Sitting in front of the senator, ready to help answer that question, were representatives from two telecom firms, Apple, Google, Twitter, and Amazon.

Notably absent from the lineup was anyone from Facebook or Equifax, which had been grilled by Congress separately. So for the assembled execs, the hearing marked an opportunity to start lobbying for friendly regulations—and to assure Congress that, of course, their companies had the issue completely under control.

No executive at the hearing projected quite as much aloof confidence on this count as Andrew DeVore, the representative from Amazon, a company that rarely testifies before Congress. After the briefest of greetings, he began his opening remarks by quoting one of his company's core maxims to the senators: “Amazon's mission is to be Earth's most customer-centric company.” It was a stock line, but it made the associate general counsel sound a bit like he was speaking as an emissary from a larger and more important planet.

DeVore, a former prosecutor with rugged features, made clear that what Amazon needed most from lawmakers was minimal interference. Consumer trust was already Amazon's highest priority, and a commitment to privacy and data security was sewn into everything the company did. “We design our products and services so that it's easy for customers to understand when their data is being collected and control when it's shared,” he said. “Our customers trust us to handle their data carefully and sensibly.”

On this last point, DeVore was probably making a safe assumption. That year, a study by Georgetown University found Amazon to be the second-most-trusted institution in the United States, after the military. But as companies like Facebook have learned in recent years, public trust can be fragile. And in hindsight, what's most interesting about Amazon's 2018 testimony is what DeVore did not say.

At that very moment inside Amazon, the division charged with keeping customer data safe for the company's retail operation was in a state of turmoil: understaffed, demoralized, worn down from frequent changes in leadership, and—by its own leaders' accounts—severely handicapped in its ability to do its job. That year and the one before it, the team had been warning Amazon's executives that the retailer's information was at risk. And the company's own practices were fanning the danger.

According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon's vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who's at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn't even map all of it, much less adequately defend its borders.

In the name of speedy customer service, unbridled growth, and rapid-fire “invention on behalf of customers”—in the name of delighting you—Amazon had given broad swathes of its global workforce extraordinary latitude to tap into customer data at will. It was, as former Amazon chief information security officer Gary Gagnon calls it, a “free-for-all” of internal access to customer information. And as information security leaders warned, that free-for-all left the company wide open to “internal threat actors” while simultaneously making it inordinately difficult to track where all of Amazon's data was flowing.

To be clear: This story is not about Amazon Web Services, the cloud-computing wing that manages data for millions of enterprises and government agencies, which has its own, separate information security apparatus. It's about the online retail platform used by hundreds of millions of ordinary consumers. And on that side of Amazon's business, InfoSec staffers warned of an unnerving “inability to detect security incidents.”

By the time DeVore started testifying about Amazon's long-standing commitment to privacy and security, the dangers that the security division had identified weren't just theoretical. According to Reveal and WIRED's findings, they were real, and they were pervasive. Across Amazon, some low-level employees were using their data privileges to snoop on the purchases of celebrities, while others were taking bribes to help shady sellers sabotage competitors' businesses, doctor Amazon's review system, and sell knock-off products to unsuspecting customers. Millions of credit card numbers had sat in the wrong place on Amazon's internal network for years, with the security team unable to establish definitively whether they'd been unduly accessed. And a program that allowed sellers to extract their own metrics had become a backdoor for third-party developers to amass Amazon customer data. In fact, not long before September's hearing, Amazon had discovered that a Chinese data firm had been harvesting millions of customers' information in a scheme reminiscent of Cambridge Analytica.

Amazon had thieves in its house and sensitive data streaming out beyond its walls. But DeVore—who had himself received a report that year warning that far too many Amazonians had access to insecurely stored passwords, and who had aggressively shot down a company lawyer for questioning Amazon's reputation on customer privacy—didn't reveal any of that to the senators.

FEW CORPORATIONS MAKE a fetish of their own precepts and rituals quite the way Amazon does.

Jeff Bezos' famous leadership principles—handed out to employees on laminated cards, posted on the walls, recited verbatim—instruct Amazonians to show a “bias for action” because “speed matters in business” (Principle No. 9). They preach “frugality” because “constraints breed resourcefulness, self-sufficiency, and invention” (No. 10). Above all, they hold that Amazon's leaders should “obsess over customers” (No. 1). In the company's early days, Bezos instituted what he called the two-pizza rule: “No team should be so large that it cannot be fed with just two pizzas.” No matter how huge Amazon becomes, the thinking went, it should be able to keep functioning like a bunch of small, flinty startups—albeit ones with instant, unmediated access to the corporation's world-beating data and logistics. That way, Amazon would remain a vibrant place where, to quote another verse of corporate scripture, it is “always day one.”

Another commandment that Bezos laid down in the company's early years was a ban on PowerPoint presentations, arguing that they encouraged shallow, distracted thinking. Instead, he ruled that Amazonians should present their reports to executives in the form of meaty, single-spaced memos—called six-pagers—to be read carefully and silently at the beginning of a meeting by all in attendance.

Over the past several months, Reveal and WIRED reviewed some of the confidential six-pagers that Amazon's information security chiefs prepared for submission to Jeff Wilke, then the CEO of Amazon's global consumer operation, along with general counsel David Zapolsky and chief financial officer Brian Olsavsky, between 2016 and 2018. This account is based partly on those memos, along with numerous other internal Amazon documents and communications dating back to 2015, as well as interviews with more than a dozen former Amazon data security and privacy staffers, many of whom spoke on the condition of anonymity because they feared retaliation, reputational damage, or legal threats for speaking openly.

Taken together, these sources show that Amazon's data security problems kept amassing through 2018 as the company grew. They also reveal that, in many ways, the division's overwhelming challenges grew out of the very cultural precepts that Amazon holds dear—and out of the world-devouring growth they helped to foster.

In an emailed statement, Amazon spokesperson Jen Bemisderfer said the company has “an exceptional track record of protecting customer data,” and indicated that these internal documents were a sign of its strong culture. “The fact that Amazon's privacy and security issues are extensively documented with extensive review from senior leadership highlights our commitment to these issues and demonstrates the vigilance with which we identify, escalate, and respond to potential risks,” she wrote. “We've invested billions of dollars over the years to build systems and processes to keep data secure, and are constantly looking for ways to improve.”

For two decades of its early history, Amazon, like a lot of companies, outsourced the storage of its data to a third-party contractor, Oracle. But by the mid-2010s, Amazon's data warehouse there had ballooned to become the biggest Oracle database in the world—as much as 1,000 times bigger than any other, according to one Amazon estimate. It held a staggering 50,000 terabytes of information.

At Amazon, 3,300 small teams—which were represented in one internal map as a celestial orb comprising so many points of light—were tapping into that data every day, all hungry for their own analytics. They had a tendency to grab the data they needed, copy it, and store it elsewhere, according to a 2018 security memo that analyzed the roots of the company's data risks. The result: a “mostly undocumented proliferation of copies of their required data sets.”

That rapid and furious proliferation was, in part, what made it nearly impossible for the information security division to get a handle on Amazon's data. “The increasing number of copies of data sets, combined with Amazon's decentralized accountability and ownership model,” the memo said, saddled the security division with a Sisyphean task. In 2016, in fact, the security team attempted to map all of Amazon's data—and was not able to do so.

By then, Amazon had embarked on a massive, multiyear effort to transfer its Oracle-based data to a new internal system, housed on Amazon Web Services' own servers. (At one point, the guy in charge of that transition—a data warehousing expert named Jeff Carter—described his job in a public presentation by showing a photo of a few men changing the tires of a car tilted precariously on two wheels as it sped down the road.) But there was still data scattered in the wind, untagged, unmapped, untracked.

At the same time, a different stratum of Amazon's empire presented another set of unruly vulnerabilities. Around the world, thousands of Amazon customer service representatives sat in rows of cubicles in call centers or at computers in their own homes. To ensure that they could help customers as quickly as possible, the company gave them the ability to look up nearly anyone's purchase history on command. One former service rep, who requested anonymity, said he remembered colleagues looking up the purchases of Kanye West and movie stars from the Avengers films, even scoping out a few dildos in a particular celebrity's purchase log. Other staffers recalled coworkers looking up exes and girlfriends or boyfriends. “Everybody, everybody did it,” a former customer service manager says. They weren't supposed to, of course. Amazon repeatedly made that clear. In a statement, Amazon's Bemisderfer wrote, “We strongly reject the notion that abuse of these privileges is ‘common.’” But the tools were right there; agents could start a “research session” to look up a customer who wasn't on the phone, then just type in a name.

As early as 2015, executives knew that employees' broad access privileges were a problem at Amazon. But voyeuristic curiosity was the least of their worries. That year, an internal audit, first reported by Politico EU, found that tens of thousands of employees had the ability to “spoof” a seller account—with many of them possessing access to secret keys that allowed them to issue refunds and view customer order histories as if they were the vendor. And according to the auditors' conclusions, 23,000 of them shouldn't have been granted all those powers. Amazon told Politico that, like any company, it audits its policies for compliance and makes improvements based on these findings. But a 2010 audit had arrived at similar conclusions, and the problems had persisted.

Amazon's system, a much later memo would say, “allows associates to quickly work on behalf of Amazon customers, but puts those same customers at risk from intentional abuse and unintentional exposure by employees and contractors who have been entrusted with elevated privileges.”

But in some ways, one of Amazon's most knotty sources of vulnerability was the information security division itself—and how ill-equipped, dysfunctional, and adrift it was, even as dedicated security staffers performed heroic feats against tall odds. In March 2016, the division's longtime chief, George Stathakopoulos, left for a job at Apple, which sent the team into several months of limbo. But the division's bouts of turmoil would go deeper and last much longer than that.

AROUND THE TAIL end of 2016, a guy named Gary Gagnon—a cybersecurity executive with decades of experience, primarily in federal government work—flew to Seattle to discuss becoming Amazon's new vice president of information security. His last interview of the day was with Wilke, the consumer CEO, who met Gagnon in a small conference room off of his modest office, dressed in a flannel button-down and jeans. The outfit was part of a tradition, Gagnon recalls Wilke explaining: He always dressed like a warehouse worker during the peak holiday shopping season, to remind folks at headquarters of the people who really kept Amazon churning.

Gagnon wasn't that eager for a new job, he says, but he was blown away by Wilke, and how humble he seemed for someone who commanded the largest online retail operation on earth. “OK,” Gagnon remembers thinking, “this is a guy I can work for.”

Everything went downhill from there. At an all-hands meeting in the beginning of 2017, Wilke introduced Gagnon as the security division's new leader, shocking some staffers who had been expecting the acting chief, a longtime insider, to get the job. When Gagnon gave his first speech to his team, his frequent use of the prefix “cyber-” instantly grated on some in the division, who regarded it as the tic of an East Coast government type. “It became a joke from day one,” says one former manager. Gagnon says a staffer later pulled him aside and duly advised him to lay off the term “cybersecurity.”

As he settled into his new role, Gagnon quickly realized that all was not well with “information security”—as he was urged to call it—at Amazon. The size of the company's network was astounding, but “it was all put together with tape and bubblegum,” a tangle of old and new software, Gagnon says. “It grew up out of a garage and it just kept going from there.” New consumer products were locked down with the utmost secrecy before launch, Gagnon says. But otherwise it seemed like everyone on the network had access to nearly everything, including customer information—and yet there was no insider threat program dedicated to preventing rogue employees from abusing their access while he was there. More fundamentally, he says, the team didn't seem to have any systematic way of prioritizing its biggest security risks. “It was shocking to me,” Gagnon says.

He inherited a team of 300-odd people but thought it should have probably been more like 1,000. But when he tried to beef up his staff, Gagnon soon found out that the frugality he'd admired in Wilke was going to pose a problem for him: Upon asking for more resources, he says, the consumer CEO usually turned him down. (Wilke could not be reached for comment.)

The division, Gagnon came to believe, was essentially dead weight in Wilke's profit-and-loss calculation. The information security team over at Amazon Web Services actually generated revenue with products for the cloud division's enterprise customers. But on Wilke's consumer side of the business, Gagnon says, InfoSec was seen as another overhead cost, one that cut into other projects that made Amazon faster, more profitable, and more pleasurable. “The philosophy at Amazon was about customer experience. They wanted to delight the customer,” Gagnon says. “And that was at the expense of everything else.”

Amazon says it “will never sacrifice security for costs.” But in Gagnon's view, investment in information security was spare: “The budgets didn't align with the needs.” Some former security staffers echo him on this sense of austerity in the division. “I would tell new hires, ‘Assume your budget is zero and go from there. Just be as frugal as you can,’” says Ellie Havens, a former business operations manager on the security team.

In an August 2017 six-pager to Wilke, Gagnon outlined a host of risks that stemmed from Amazon's breakneck growth and his security team's thin resources. New devices connected to Amazon's system were continually being discovered without a centralized system that tracked them all; new fulfillment centers were going up like gangbusters, with warehouse computer security “failing to keep pace”; and payment processing was being expanded to multiple new countries every year, with the security team struggling to keep up.

In the midst of all that expansion, Gagnon wrote, breathtaking things were slipping through the cracks. Just that May, staffers had discovered that, for a period of two years, the names and American Express card numbers of up to 24 million customers had sat exposed on Amazon's internal network, outside a “secure zone” for payment data. It was as if a bank had realized that some sacks of cash had been left in a back office, outside the vault, for several seasons. The exposure was corrected, but the scariest part was that there was no way to be sure whether anyone had snooped on the payment credentials during all that time—because the data set's access logs only went back 90 days. “So we had no idea what the exposure actually was,” Gagnon remembers. “I was astonished by that.” (Bemisderfer says, “There is no evidence to suggest the data was ever exposed outside of our internal system in any way.”)

A more fundamental problem facing Amazon, as Gagnon sized it up in his memo, was this: “We lack visibility into the data we are charged with protecting,” he wrote. “We do not systemically know the data flows and storage locations of sensitive data.”

In security terms, the implication was obvious: If the team didn't know where all the data was, how could they make sure it wasn't leaked, stolen, or manipulated inappropriately? But Gagnon also saw another giant hazard on the horizon. In April 2016 the European Parliament had passed the General Data Protection Regulation, a sweeping consumer privacy law that would go into effect in 2018. After that, firms operating in Europe would be allowed to use people's data under a stringent set of conditions, and sometimes only with their consent. Companies would also be required to make it possible for customers to have their data deleted. “I don't know how the hell we're going to deal with that,” Gagnon remembers thinking, “because we have no idea where our fucking data is.”

But these kinds of privacy concerns didn't seem to be high on the company's list of priorities either. When Gagnon went to David Treadwell, the vice president in charge of Amazon's retail technical infrastructure, to ask how the company was going to handle getting itself into compliance with GDPR, Treadwell's reply, according to Gagnon, was: “What's GDPR?” Gagnon says he was later told not to worry, that the company had hired lawyers to get Amazon ready for the law. “When I brought this up, one of the lawyers from the legal department came into my office and told me to completely back down,” he says.

“They wanted to delight the customer,” Gagnon says. “And that was at the expense of everything else.”

It wasn't that executives like Wilke didn't care about keeping customer data safe, Gagnon says. “They did what they thought was enough,” he says. “They're making a ton of money. Their stock is going up ... They had no indications that any of the cyber stuff was going to affect their business.” Or at least, it hadn't yet.

In June 2017, at a giddy town hall meeting led by executives from two major American corporations, Whole Foods CEO John Mackey announced that after a “whirlwind courtship” Amazon had decided to purchase the upscale grocer for $13.7 billion. He described how, in just a matter of weeks, the two companies had gone from their first “blind date” to becoming “officially engaged.” Looking back at the executives' first meeting together, Mackey joked that “it was truly love at first sight.”

The security team at Amazon, which had repeatedly warned of the risks posed by constantly gobbling up new subsidiaries and folding them into the company's network, was less smitten. Less than a week after the shotgun wedding was finalized, an analyst at the credit card processing company First Data called an Amazon employee with an ominous tip. A Ukrainian broker had just put some credit card data for sale on the dark web that could indicate a breach at Whole Foods.

Amazon's security division jumped into action, alerting Whole Foods and launching an investigation. Over the next few weeks, the team determined that a notorious group of Ukrainian cybercriminals had been inside parts of the Whole Foods corporate network since January. The attackers had control of 20 employee accounts with powerful levels of access. They had burrowed so deep that the Whole Foods team working on the breach had to be moved to an entirely different email system to communicate without fear of the hackers snooping, according to an internal memo.

Once the security division kicked out the attackers, Amazon notified customers that hackers had made off with credit card details for purchases made at some restaurants and taprooms inside the grocery chain's stores. The hackers hadn't made the jump from Whole Foods into the larger Amazon network, but it still wasn't a good look. The breach made headlines.

With customer loyalty and trust at stake, the breach might have supplied an opportunity for Gagnon to make the case for more investment in security. But he wouldn't be sticking around much longer. In October 2017, just a month after the Whole Foods breach, Gagnon and a slew of other staffers flew to London for ZonCon, Amazon's invite-only information security conference, an event for team building and recruiting. Gagnon didn't make it through the conference.

His fate was sealed one night at a private dinner for the event's speakers. Precisely what happened there is under dispute, but Gagnon never returned to work for Amazon. The next day, he says, he was pulled into a video call with Treadwell back in Seattle, who told him to leave the conference and fly home. When he got back to the States, Gagnon says, he was told that what happened in London was “inexcusable” without receiving any additional detail. He was fired the following week, the company confirmed.

Whatever really took place, the upshot for the division was more instability. “We went back to Lord of the Flies,” says a former Amazon security manager. “It was just a shit show.” The team was leaderless again after less than a year. With chaos at the top, other senior staffers and managers would leave too, leaving the group unsettled and lacking institutional memory. Projects got derailed, and security would lose its top advocate in high-level meetings, former staffers say. The division's teams would hunker down in silos, sometimes fighting among themselves and operating without a strategic vision. As the search dragged on, some staffers began to wonder why it was so hard to find a new chief. “We couldn't find anybody for the longest time,” says Havens. “I think word had gotten out that it wasn't an easy place to work in security.”

Finally, Amazon moved another leader into the top information security role—someone who had at least proven himself inside the company. The division's new chief was Jeff Carter, the guy who had orchestrated Amazon's monumental data migration from Oracle to Amazon Web Services. But there was a hitch: Carter didn't have experience in data security. As he himself would later joke in a presentation, viewable on YouTube, his reaction to the job offer was to say, “Uh, this doesn't seem like an entry-level job for a security person.”

It wasn't. Around the time Carter arrived, a set of managers inside the information security division got together to quantify their alarm over the biggest dangers Amazon was facing. Each danger was assigned three scores: One for how badly it could affect the company, one for how likely it was to happen, and one for what power Amazon had to control it. Then those three numbers were multiplied together for a total risk score.

Atop the security team's list was the danger that breaches would “go unnoticed” due to “limited detections, alert fatigue, and manual effort.” The impact of such a scenario, the managers determined, could be “critical” (5 out of 5), its probability was “very likely” (5 out of 5), and the team had “no controls” against the company's exposure to it (5 out of 5). Total risk score: 125 out of 125.

Next up, the managers evaluated the danger that “lack of visibility into systems and networks” would create an “inability to detect security incidents.” Risk score: 125 out of 125. Then there was Amazon's “inability” to protect secret credentials and keys that could unlock sensitive data: 125 out of 125. Then came Amazon's “inability to identify the location of data.” 125 out of 125 again.

Amazon says these risks were “overstated.” But around that same time, yet another dire-sounding message issued from a unit inside the security division called the Security Operations Center, which was responsible for detecting and responding to attacks. A memo from the team warned that, because the group relied on humans to report problems when they came upon them instead of having an effective automated system to proactively search for evidence of a breach, an attacker could conceivably hide out in Amazon's network for years without being noticed.

Amazon claims this memo ignored “multiple compensating controls and fallback measures” that the company had in place to prevent intruders. Still, the document's urgency was palpable: “We can't scale with people, there are just not enough so we must scale with automation.” But automation, the memo went on, was “currently underfunded.”

As Carter settled into his new job, in short, the alarms sounding within the information security division were cranked up as high as they could go. Elsewhere in the company, meanwhile, another group of staffers had been boiling over with their own concerns about Amazon's handling of customer data.

GARY GAGNON WASN'T the only one who blanched at the thought of preparing the company to comply with Europe's GDPR. At a time when the world was growing increasingly concerned about tech companies' use of personal data—not just whether they kept it safe from cybercriminals, but how they themselves passed it around and milked it for profit—Amazon had only a small handful of employees who were officially charged with ensuring customer privacy across the organization. Most of them were clustered in the company's legal department under associate general counsel Bill Way. And throughout 2017 they struggled to advocate for privacy in a company that hated to slow down, where executives often seemed not to appreciate their efforts.

In May 2017, a senior engineer among this small group of staffers sent an email to Way sketching the general lay of the land: Addressing privacy issues around the company had become “a brutal game of whack-a-mole,” he wrote.

“I've had several conversations with internal employees that were not happy with the transparency and privacy practices of tools they were developing, but attempts to fix this were knocked down by leadership,” the engineer wrote. “Of course, these individuals have to take their career into account before fighting against their reporting chain too much on those issues, and it points to the need for a centralized privacy team to handle those escalations and battles.”

Other tech giants, the engineer wrote, had more mature systems in place for working through complex privacy issues, and Amazon was falling behind. (Google, for instance, had scores of employees working on privacy.) “Without a privacy development team to own that work,” he concluded, “I'm not sure we are well positioned to catch up.”

In the fall of 2017, a different staffer—an Amazon compliance expert—wrote a memo to Way and others warning that the company could face multibillion-dollar fines over privacy issues if it didn't shape up. The memo argued that Amazon should aim to have more than 30 dedicated privacy staffers instead of just a handful, and said the company offered few to no resources for privacy training, the development of products for privacy, or data mapping. (That staffer later alleged that he was pushed out of the company in part for raising these issues, according to records reviewed by WIRED and Reveal. Politico EU also reported on allegations that the company punished staffers for raising security concerns. “Employees did not face retaliation,” Amazon says. “No employees left the company because they had raised concerns around data security regulation compliance.”)

Later that year, when members of Amazon's legal team tried to help the company up its privacy game, their efforts, too, were shot down. That December, a company lawyer polled a group of colleagues on whether Amazon should join the International Association of Privacy Professionals. Google, Facebook, Microsoft, Twitter, Oracle, and Salesforce had already become corporate members, giving hundreds of their employees access to its resources. A top-tier corporate membership cost $25,000.

“It's a relatively cheap way for the company to keep our privacy professionals connected into that network and to show that the company is sensitive to and thoughtful about privacy issues generally, instead of being mostly conspicuous by our absence,” wrote a Japan-based Amazon lawyer in the thread.

But Andrew DeVore—the associate general counsel who would ultimately testify before Congress about Amazon's “long-standing commitment to privacy and data security,” and the most senior person on the chain—batted the idea away: “I don't think it's a particularly useful forum for us to achieve any broader privacy objectives.”

Other lawyers tried to argue back, but it didn't go well. “It is a very uncomfortable situation to be present at IAPP events as a private member,” wrote an Amazon attorney based in Germany, “while it is clear that I am working for a company that is perceived as not being interested in privacy issues.”

That set DeVore off.

“Anyone—and in particular anyone who purports to have any real involvement in or understanding of privacy issues—who believes Amazon is ‘not interested in privacy issues’ is a complete and utter ignoramus,” he replied. “We wouldn't be here, and we would not have the incredible array of privacy protective products and services that we make available around the world, if we weren't absolutely privacy obsessed in all we do. We have been from day one, and it [is] still day one. So I hope, and fully expect, that all of you push back hard on that kind of crap.”

Amazon didn't join the privacy organization. Amazon Web Services, the cloud computing wing, later did. One former Amazon lawyer who worked on getting the company ready for GDPR argues that DeVore's contention that the company designed its products with privacy in mind is simply inaccurate. At the time, “Amazon didn't have meaningful controls to limit access and sharing of user personal data, including sensitive data, within the company,” the lawyer says. “Within Amazon, user personal data flowed like a river.”

As the May 2018 deadline for complying with GDPR drew closer, the issue of data privacy surged to the forefront of public attention—courtesy of the Cambridge Analytica scandal, which erupted that March. Suddenly morning news shows and nighttime comedy hosts were chewing over a convoluted story about a third-party developer who took liberties with data freely acquired through Facebook's application programming interface. In a matter of days, Facebook's market cap dropped by more than $35 billion.

Inside Amazon, privacy staffers feared their company could careen into its own submerged iceberg of a privacy scandal. After all, Amazon wasn't even doing much to steer clear of the giant glacial mass that was looming right in front of it: Europe's new privacy regime, which threatened fines in the many millions of dollars. Finally, with only five weeks before the May 25, 2018, enforcement deadline, “the decision was made” to create a privacy team to help prepare the world's largest online retailer for the new law, according to a July 2018 information security memo.

Amazon says that it has always had privacy staffers distributed across the company, that it “began planning for GDPR years in advance” and simply opted to centralize its efforts in the run-up to the deadline. But months later, in front of the Senate Commerce Committee, DeVore still seemed miffed that the European law had distracted Amazon from its customer-centric priorities. “Our long-standing commitment to privacy aligned us well with the principles of the European Union's General Data Protection Regulation,” DeVore said. “Meeting its specific requirements for the handling, retention, and deletion of personal data required us to divert significant resources to administrative tasks—and away from invention on behalf of customers.”

Considering DeVore's testimony, Gary Gagnon has a hard time stomaching the claim that Amazon was well-aligned with GDPR and had privacy at its core. “It's all bullshit,” he says. “Complete bullshit.”

IN THE SPRING and summer of 2018, Amazon looked like an unstoppable force with a brick on its accelerator. The company had over 575,000 global employees. Jeff Bezos had been declared the world's richest man, and Amazon was on the verge of becoming the world's second company, after Apple, to reach a value of $1 trillion. As Bezos reported in his annual shareholder letter that April, more than 100 million people around the world had become Prime members, and they were going bonkers for smart devices like Echo Dots and Fire TV Sticks—products that turned their daily lives into ever more Amazon data points.

It was at this moment of relative triumph that a dam seemed to break. In a rush, the vulnerabilities that Amazon's security division had been flagging were manifesting in a series of gut-wrenching discoveries.

One day in late May, Amazon's risk intelligence team stumbled on a sketchy-looking service that was being offered to Amazon's third-party sellers—a business scheme that harvested Amazon data in ways that were, in some respects, evocative of Facebook's Cambridge Analytica debacle. Called AMZReview, the service advertised itself as a way to help sellers boost their rankings on the Amazon platform, and it claimed to possess detailed information on millions of Amazon customers. As the team investigated, they discovered a disturbing truth about how the folks at AMZReview had gotten their hands on all that customer data: Amazon had let them have it, according to a draft of a memo that detailed the team's findings.

Amazon's retail platform had long offered sellers a convenient program that allowed them to pull data about their customers. All they needed was a special key to tap into Amazon's interface, and they could unlock access to customers' information, including names, mailing addresses, phone numbers, the products they'd ordered, and the dates when they'd ordered them. The idea was that sellers could use all that data to manage their businesses, possibly by hiring their own software developers to build analytics tools.

The problem was that third-party companies, hungry for data to monetize, had realized they could collect the keys from many different sellers and amass huge pools of customer information without customers' knowledge. This door had been wide open for years, with companies gaining easy access to Amazon customer data, until the intel team discovered AMZReview.

In exchange for access to all the customer data that Amazon provided, AMZReview offered to help sellers attain a crucial piece of information that Amazon strictly withheld: the personal email addresses attached to customers and their reviews. Bad reviews can sink a business on Amazon, but with the right email addresses, sellers could induce dissatisfied customers to take their reviews down, or entice people to leave good ones with special offers.

How did AMZReview know those email addresses? The service, Amazon determined, was an offshoot of a Chinese analytics firm called TouchData, and it seemed to have obtained the customer emails from “other open and breached sources” of data on the internet. From there, it had ways of matching addresses to Amazon reviews, with a modest success rate. In all, AMZReview obtained access keys from 92 different sellers, allowing it to pull all of their customer information from Amazon's system. It claimed to have information on 16 million Amazon customers. (The intel team said it was able to verify only that AMZReview had likely harvested the information of 4.8 million. TouchData denies that it was ever connected to AMZReview, which is no longer active.)

When the risk intel team first reported the discovery up the chain, “the color was draining from people's faces,” says one person involved in the meetings. “It was a fucking shitstorm.”

The problem was far bigger than just AMZReview, which was only one player among many that could harvest data from the information Amazon gave to sellers. Merchants accessed billions of customer orders through Amazon's interface with little oversight. The largest third-party developer had access to a billion orders. Sure, there were rules for how sellers and developers were supposed to use the system. But it appeared, the memo said, that more than half of the third-party developers the company had researched were violating Amazon's terms of service. A former staffer familiar with the details says that most were probably legitimate businesses. But still, the former employee adds, “there was a massive hole. It was really unmitigated.”

The memo said Amazon had been “oversharing” customer details, handing out many different kinds of data points, often without regard to what sellers actually needed. And Amazon had “no way of knowing,” the memo said, if the data was being accessed by actual sellers or by third-party companies who were doing who knows what with it. The companies could be selling the data outright or using it to create targeted marketing aimed at Amazon customers. “We believe such use could violate customer trust if customers understood what was happening,” it said.

Amazon's leaders wanted the problem solved, and fast. The memo set forth a plan: Amazon would limit the data shared with sellers. It would regularly audit the companies that were pulling data to catch any misconduct. As for the massive amount of data that had already leaked out, they decided to simply ask the biggest companies to please get rid of their historical data on Amazon customers. Amazon says it used external audits to make sure the data was trashed.

“The biggest concern was just optics,” says a former Amazon employee who had knowledge of the situation. “If it had come out that that was happening? All that embarrassing shit that you ordered on Amazon, there's some Chinese company that could pin down the date you bought it? Obviously they wouldn't want anyone to know about that.”

Some people involved couldn't help but think of the still-broiling Cambridge Analytica scandal. But while Facebook got publicly barbecued, Amazon dealt with AMZReview quietly. Some privacy advocates say the company should have come clean. “They should have said, ‘Here's what is going on, here's what we did to fix it, and here's what we know about who got their hands on your data,’” says Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation.

Amazon says there's nothing to see here. “There was not a data leak,” says company spokesperson Jen Bemisderfer. “We have strict policies and contractual terms in place that prohibit the misuse of customer data by sellers and service providers, and we continuously monitor and audit our systems to detect misuse and enforce our policies.” When Amazon discovered companies abusing their access, it cut them off, she says. Amazon also invested in an outside auditor to make sure companies comply. As for how many customers had their information shoveled up by companies misusing the system, Amazon had “no response.”

As bad as it was, AMZReview wasn't the only problem the company discovered that May. At almost exactly the same time, Amazon's security division learned that several Amazon accounts belonging to employees in China had been used to bypass controls in the company's customer service platform. According to an internal memo, those accounts had then changed the email addresses attached to some 36,000 customer profiles, a move that would have allowed the attackers to take over the customer accounts and use them for fraud. Eight employees, including an IT engineer, were potentially involved and appeared to be in league with Chinese companies that provide services to Amazon sellers. Several employees were fired, according to the memo, and a technology team corrected the vulnerability that had been used to change email addresses within days of its discovery.

The security division also learned that someone inside Amazon's system had logged in to 6,581 customer accounts and deleted reviews they'd written. The two incidents appeared related. Someone was gaming one of the world's biggest marketplaces, and they had inside help.

When Jeff Carter—the new security chief who didn't have security experience—was ready to submit his first quarterly six-pager to senior execs in July 2018, he started by capturing the still-bedraggled state of the security division. “Through various management transitions, there has been a breakdown in trust amongst teams within the InfoSec organization, which has impacted teamwork, morale, productivity and retention,” he wrote in the memo. While everything else about Amazon seemed to be growing exponentially, the security team had lost even more people. At 345 staffers, it was down 100 from its budgeted headcount.

Carter went on to sound many of the same alarms that his predecessors had: Amazon still didn't know where all of its data was. The company still didn't have nearly enough capacity to detect threats automatically. And it still gave its employees far too much access to sensitive customer data. The difference was that for Carter, the danger posed by Amazon's own employees—“the ability for a rogue employee to abuse internal systems for their own purposes,” as he put it—had now become a vivid reality. And it would only become more grotesquely so as 2018 dragged on.

WHEN ANNA LAM was a young girl growing up on the Pacific island of Nauru, her mother would sometimes drop a piece of cool-green jade into a cup of herbal tea to calm her childhood fears. As a middle-aged adult living in New York City decades later, Lam started a business selling beauty products, some of them made from the same green semiprecious stone. Her most popular item on Amazon was something called a jade roller: a small cosmetic tool that looks a bit like an attractive miniature paint roller, designed for massaging one's face. To market the product under her brand, GingerChi, Lam put up some artfully staged close-ups of her own daughter using one of the rollers.

“The color was draining from people's faces,” says one person involved in the meetings. “It was a fucking shit storm.”

Jade rollers have an ancient Chinese pedigree, but in the mid-2010s it was their cachet on Instagram that made them hugely popular. By the fall of 2017, the living room of Lam's apartment was cluttered with boxes for shipping her rollers to customers. That's when she first noticed something weird on Amazon: Her daughter's face had shown up on a listing for someone else's jade roller. A rival seller called Krasr had grabbed Lam's photos to help sell their own copycat product. Lam reported the apparent violation to Amazon, and the photos were taken down.

Two months later, Lam received an order from a Canadian customer named Mohamed Multhazim Akbar Ali and realized he was the owner of the Krasr trademark. So she decided not to fulfill the order but didn't spare it much more thought. She was too busy dealing with her company's skyrocketing popularity. That November, the actress Lea Michele had plugged Lam's GingerChi jade roller on Instagram. Then Lam's products made the 2017 holiday gift guides for Time Out New York and Us Weekly. “It just went like wildfire,” she says. And then after that, “all hell broke loose.”

That spring, mysterious sellers on Amazon started issuing copyright infringement complaints against Lam, which prompted Amazon to suspend her account. She tried emailing her accusers but never heard back, so she suspected that Krasr was behind the complaints. Krasr had also relaunched his own jade roller with a marketing push.

When Lam finally managed to get her account reinstated, months later, her own Amazon listing seemed to turn against her, as if possessed: Customers would order a GingerChi jade roller, but they would sometimes receive a Krasr-branded roller in the mail instead, and their credit card payments would go to Lam's rival. The Krasr rollers looked similar to Lam's product, down to the cloth bag and informational insert, but they were sometimes defective. So Krasr got the sale, customers got an off-putting bait-and-switch, and Lam got the bad reviews. (“Everything about this is suspicious,” one GingerChi reviewer wrote after receiving a Krasr-branded roller that didn't roll.)

With time, the hijackers on her listing multiplied: A rotating cast of other sellers purported to offer her GingerChi jade roller right from her own page. One of them was mockingly named KingerChi. Lam tried to enlist Amazon's help. She'd order the rollers off her page, take pictures showing they were not hers, and send complaints to Amazon. After a long wait, one or two sellers peddling copycat rollers disappeared, but others would pop up, stealing her orders. Lam hired lawyers to write pleading letters to the company. By now she was losing money, had laid off an employee, and worried her business would go under. After a while, she couldn't help but think that Amazon simply didn't care.

Krasr, after all, had been the subject of a long exposรฉ on CNBC in the fall of 2017. The story identified Ali by name and described how, for more than six months, Krasr had attacked a Los Angeles–based skin care business, seeming to infiltrate and sabotage its Amazon account in a series of moves that were sometimes uncannily similar to what was now happening to Lam. The story quoted hectoring text messages from a Krasr representative to the seller, claiming to be the “virus of Amazon” and threatening war.

Amazon's response to the story was to quote corporate scripture, saying that the company “is constantly innovating on behalf of customers and sellers” and that it moves quickly whenever it detects bad actors abusing its systems. And yet almost a year after the CNBC story appeared, Krasr was still attacking Lam with impunity.

The man behind Krasr, meanwhile, seemed to be living large. Ali—or Zim, as he called himself—was in his early twenties at the time, getting a computer science degree at the University of Toronto. His Instagram account showed a confident, fashionable young man with a penchant for world travel, scuba diving in one post and riding a camel in another. At one point he attended a conference designed to help Canadian businesses tap into Chinese ecommerce, where he snapped a photo of Canadian prime minister Justin Trudeau onstage. (Ali did not respond to multiple requests for comment.)

As he targeted GingerChi, Krasr ran a smorgasbord of other product lines, hawking everything from ultrasonic pest-repellent devices to anti-snoring aids on Amazon. Some of his customers left reviews saying they were offered money or freebies to delete bad reviews. Lam didn't understand how Amazon let him get away with attacking sellers for so long. Surely Krasr had to be on the company's radar.

Lam didn't know, of course, how patchy Amazon's radar actually was. But Krasr eventually caught the company's attention. In November 2018, Krasr featured prominently in one of the security division's memos, a draft of Carter's quarterly six-pager to Wilke and other top execs. The security team had uncovered the disturbing secret of Krasr's success: He had moles inside of Amazon. “This seller recruited our employees over LinkedIn and Facebook,” the memo said. Over a series of years, these insiders had received approximately $160,000 in payoffs. In return, they used their access privileges to offer him godlike powers over the platform and any seller he wished to target.

Krasr's moles leaked him information on customers and their orders, shared internal business reports, and handed over information on best-selling products so Krasr could copy them (a move that Amazon itself has been accused of using to beat out its independent sellers). At Krasr's direction, they would reinstate accounts that had been suspended for illicit activity. And at times they would block sellers who were in good standing, just so that Krasr—in the manner of a ransom scheme—could offer to help.

The disturbing secret of Krasr's success: He had moles inside of Amazon. “This seller recruited our employees over Linkedin and Facebook,” the memo said.

According to Carter's memo, Amazon had caught seven of the employees who were working with Krasr, and they had spilled their secrets. All of them had been fired. But Krasr himself proved elusive. Amazon had referred him to the FBI, the memo said. “We believe Krasr is traveling between Toronto and Thailand and have retained a private investigator to confirm his whereabouts,” the memo stated. (“Any marketplace with a good amount of activity is going to have bad actors try to take advantage,” says Bemisderfer.)

Krasr had finally rattled Amazon's security leaders, but he wasn't an isolated case. The team also discovered an employee in China who had shared confidential information with a data broker, who then sold it on the Chinese messaging service WeChat, according to the memo. Plus they found an employee in China who offered a bribe to an employee in India to help certain sellers.

To make matters worse for Amazon, word of the company's corruption problem was beginning to get out. In fall 2018, The Wall Street Journal reported that employees there were slinging data for cash and that one was fired for leaking customer emails to a seller.

In response to the Journal stories, Amazon launched an internal project, codenamed Glass Door, to develop ways to fix the problem. But security leaders weren't particularly optimistic: “These threat actors are financially motivated and will remain persistent at acquiring our data,” a draft of a memo from Carter to Amazon's execs said, “until the financial burden on the attacker is greater than their financial gain.”

IN JANUARY 2020, after just over a year and a half in the role, Carter left his job running Amazon's information security department. His exit sent the division into yet another several months of floundering without a chief.

Amazon eventually hired John “Four” Flynn to fill the role. Flynn arrived from Uber, where he had served as chief information security officer during a period when employees there were using their data privileges to track the movements of ex-girlfriends and celebrities like Beyoncรฉ. Those abuses came to light not because Uber disclosed them but because a whistleblower filed a lawsuit against the company—and alleged, in that suit, that he was fired in part for raising his concerns with Flynn. (Uber said it maintains strict policies to protect customer data and that it fired fewer than 10 employees for improper access. The lawsuit ended in a settlement.)

Flynn was also at Uber when the company hushed up a massive hack of user data. Around the time Flynn was hired at Amazon last year, his old boss at Uber, security chief Joseph Sullivan, was indicted for allegedly paying off hackers to keep the data breach hidden from the public and federal authorities. Flynn, who hasn't been accused of any wrongdoing, testified before Congress that he wasn't involved in the payout. “I think we made a misstep in not reporting to consumers,” he told lawmakers. “And I think we made a misstep in not reporting to law enforcement.”

At Amazon, Flynn inherits some of the same problems that plagued Carter. Shady online services still openly advertise their ability to provide insider access for a fee. Many promise to provide internal screenshots of Amazon's system, one advertising them for $175, or customer emails. Photos of a laptop open to Amazon's internal seller support portal, reviewed by Reveal and WIRED, showed the location data of the exact spot in India where the images were taken last year.

In September 2020, federal prosecutors indicted six people in a scheme to bribe Amazon employees, saying the conspiracy had continued from at least 2017 to 2020. The trial is slated for next year. Some industry consultants say the problem of employee corruption is as bad as ever. But Amazon says it strongly rejects the notion that it has a problem with bribery.

Amazon also told Reveal and WIRED that it would “continue to enforce and remove seller accounts who have relations with Mohamed Multhazim Akbar Ali should any of these surface in the future.” But in fact, Krasr has been back in action for some time. Ali has a new company, ZB Ventures, which Reveal and WIRED were able to connect to more than 20 brands peddling everything from beard straighteners to massage guns on Amazon (some even earning an “Amazon's Choice” label). The brands' product pages are also littered with reviews from customers who say they were promised free upgrades in exchange for positive reviews—a practice that violates Amazon's policies.

Ali himself is still in the wind. “I have over 8 different online businesses which are mostly automated,” he says in his profile on the Couchsurfing social network, “so I'm free most days to help, explore, and enjoy life.”

Amazon's security division carries a much heavier burden. Bemisderfer writes that the memos and emails discussed in this article are “old documents” that “do not reflect Amazon's current security posture,” and some security staffers who have left the company tend to agree. The division is making some progress, they say. Amazon's systems for automatically detecting threats—an area where the company says it has made investments—are indeed constantly improving. The company says it has made significant investments in tools that identify “where personal data is stored and how it flows” and procedures that give employees “access to only the data that is critical to complete a particular assignment.” But on the whole, former employees say, the security division is still adrift.

“It's going to take forever to turn that ship,” says one former security manager. What Amazon does well is build new things quickly, the former manager says; what it doesn't do well is solve complex problems that take multiple teams and years to address. Meanwhile, the bloodletting continues, as the division keeps losing experienced security pros through attrition. The lineup of executives who receive Flynn's six-pagers has also changed: Jeff Wilke retired from Amazon in March 2021.

Meanwhile, Amazon's vast attack surface of customer data, and its potential pool of “internal threat actors,” have both grown at a rate that is nearly incomprehensible. Just since DeVore's testimony in 2018, the company has doubled its number of Prime members, to 200 million. It has also more than doubled its number of employees worldwide, to nearly 1.5 million.

The company has achieved huge scale in another sense as well: In August 2021, true to the warnings of Amazon's privacy staffers, officials in Luxembourg levied $883 million in fines against the company for GDPR violations, a penalty more than twice as large as all prior GDPR fines against other companies put together. (Amazon says the decision relates to the advertising that it shows European customers. The company strongly disagrees with the ruling and is appealing it.)

Still, public faith in Amazon has remained high. In July 2020, a year before he too stepped down as CEO, Jeff Bezos testified before Congress for the first time ever, to defend Amazon against growing antitrust sentiment in Washington. (In a social media post before the hearing, Ali scoffed at the idea that lawmakers would ever rein Bezos in. “He's definitely above the law,” the man behind Krasr wrote. “Nothing can be done about it.”) In his opening remarks to Congress, Bezos nodded to some of the now-plentiful studies that find Amazon to be one of the most trusted institutions in America. “Who do Americans trust more than Amazon to do the right thing?” he asked the committee. “Only their doctors and the military.” But as he added in his statement, “Customer trust is hard to win and easy to lose.” Is Amazon worthy of it?

No comments: