Amazon whistleblowers warn of lousy security at e-commerce giant

Three ex-Amazon employees are going public to draw attention to serious data protection problems. In their view, the e-commerce giant does not want to comply with applicable regulations at all.

These are very serious allegations that three formerly high-ranking Amazon employees are making to Politico. All three had been responsible for monitoring information security in different units, but too often failed to assert themselves with their notices, warnings and complaints of deficiencies. Ultimately, the employees who had apparently become too critical were removed from the workforce.

The whistleblowers' accusations focus on Amazon's retail business. They explicitly point out that Amazon Web Services, the cloud business of the manufacturer, is not affected by the allegations. Rather, the data security concepts used there are world-leading. But the AWS business is largely run apart from the main company anyway, they say, with only a few points of contact.

Amazon is said not to know what data is stored where and who has access to it

In its core area, on the other hand, there is said to be downright data chaos. For example, Amazon does not even know which data is stored where. The right to be forgotten, which is one of the central legal claims of the European Data Protection Regulation (GDPR), cannot be guaranteed by Amazon because the company does not know what needs to be deleted and where.

This lack of knowledge about storage types and locations puts the data of millions of customers at risk, because a small gap could have unexpected consequences in this way. If you don't know what data is stored where, you can't implement an effective protection strategy to prevent it from being hijacked.

Similarly, there is no control over which employees have access to which data. The whistleblowers claim to have found thousands of accounts of ex-employees who still had system rights and thus still had access to the Amazon data centers even after their employment contracts had ended.

Senior management allegedly not interested in problems

Information and warnings were regularly ignored or negated by superordinate bodies. In some cases, the same problem had to be pointed out for years before it could be eliminated. In some cases, superiors simply ignored the reports.

The whistleblowers paint a picture of a management system that views data security as an optional luxury and is willing to disregard internal existing rules at will. In doing so, executives are said to have displayed great creativity and in some cases deliberately misclassified data in order to circumvent certain auditing procedures.

EU whistleblower accuses Amazon of lacking GDPR compliance

One of the whistleblowers was assigned to the Luxembourg branch to ensure compliance with the GDPR and also complains about stumbling blocks that were put in his way. Amazon had only started to deal with the issue in April 2018, one month before the measures from the GDPR came into force. Prior to that, all attempts to prepare properly had been blocked.

This is said to have happened not only at the middle hierarchical levels. Reports about risks and deficiencies, which were addressed to Jeff Wilke, the CEO of Amazon and responsible for the global consumer business, are also said to have remained without feedback.

In the end, the ex-employee wants to have gained the impression that Amazon headquarters deliberately undermined the competencies of the Luxembourg branch and wanted to bleed the team dry. All three ex-employees state that they were forced out of the company. This was preceded by periods in which they were no longer informed about meetings, no longer received necessary information, and were all in all ignored. One of the ex-employees describes Amazon's actions as a "systematic erasure" of people who wanted to formulate and address compliance issues.

Amazon widely dismisses the allegations, implying that the employees acted outside their authority and therefore had to be hemmed in. The allegations are false, at least inaccurate or outdated, he said. On the contrary, Amazon has an excellent culture of data security, in which the protection of customer data enjoys the highest priority.

Comments

Post a Comment

Popular posts from this blog

Chrome targeted by criminals: Why users need to update quickly now

A security vulnerability in Google Chrome is currently being exploited by cyber criminals. Malware could land on your PC through it. Read here how you can protect yourself. The Google Chrome browser is currently struggling with some security vulnerabilities. In a blog post , Google warns about a total of seven vulnerabilities, with the majority of these gaps being classified as a "high" threat to users. The vulnerabilities have been fixed in the latest version of Chrome for Windows, Linux and macOS. If you have Chrome version 90.0.4430.85 installed, it can no longer be exploited. If you have an older version of the browser installed, you should update urgently. You can find the download of the new version below these lines. Smartphone users do not have to be afraid of the security vulnerability. Google has not had to take any security measures here for the time being. The security vulnerability probably remained undiscovered by cyber criminals for the time being. So far, noth...
Read more

Face and voice recognition: Why TikTok wants to be allowed to collect biometric data in the USA

TikTok's privacy policy for the US now mentions the collection of biometric data from faces and voices. The background is likely to be a legal dispute that cost the company $92 million. Neue Datenschutzbestimmungen sind oft eher etwas für Juristen, doch die jüngste Aktualisierung von TikTok sollte alle Nutzerinnen und Nutzer in den USA aufhorchen lassen. Denn in den am 2. Juni aktualisierten Datenschutzbestimmungen für die USA ist ein Abschnitt enthalten, den es zuvor nicht gab. Er lautet übersetzt: »Wir sammeln möglicherweise biometrische Identifikationsmerkmale und biometrische Informationen, wie sie im US-Recht definiert sind, wie etwa von deinem Gesicht und deiner Stimme, aus deinen Inhalten.« Im englischsprachigen Original ist von »faceprint« und »voiceprint« die Rede. »Bevor wir damit anfangen«, frage man jedoch nach dem Einverständnis, wenn dies gesetzlich nötig sei, fügte noch TikTok hinzu. In response to an initial inquiry from "TechCrunch" about the ba...
Read more

Microsoft Teams, Zoom, WebEx: Berlin authority warns against popular video systems

After an initial data protection audit, some video service providers have made improvements to their offerings. But the Berlin data protection commissioner still sees serious shortcomings. The State Commissioner for Data Protection in Berlin (Germany), Maja Smoltczyk, advises against using leading video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting, Teamviewer and Cisco WebEx. The reason is a retest of various offerings. After a number of services had already failed a test of data protection requirements last year, a new test of the major providers did not reveal any substantial improvement. Smoltczyk said that she was pleased "that our comments had persuaded so many providers to improve their offerings, in some cases very significantly, in terms of data protection". There are now enough legally compliant services for a wide range of purposes that there is no reason to break data protection law for video conferencing. However, if a provid...
Read more