Several Amazon customers received a brief email saying that their name and email address leaked by mistake, without further specification.
Since November 21, 2018, many Amazon customers around the world are receiving an email stating that their name and email address have been posted on Amazon's website. No more information.
The half-full glass of the Amazon
Amazon clings to two details in its crisis communication. First, the company insists that it is a technical error that causes data leakage, not a security breach exploited by hackers malicious. That mistake is still troubling, a month after Amazon fired employees who shared e-mail from customers with third parties.
Secondly, it clearly states that the problem has been solved without customers having to intervene. More than an email to warn of a data leak, it is rotated to point out the resolution of the problem. Communication with customers would be polite, to anticipate possible reactions. And among the press services of the different countries, no one ventures to comment. For some users, Amazon's customer service even considered that the email they sent was a phishing attempt – obviously, they were not aware of it.
However, the disclosed information exposes customers to potential phishing techniques and may allow malicious individuals to attempt to monopolize their accounts.
Amazon refuses to indicate how many users have been affected, but claims to have contacted all affected customers. Article 33 of the GDPR obliges companies to report violations of personal data to the supervisory authority within 72 hours after the incident – which is why Amazon appears to have proceeded as a matter of urgency. It remains to be seen whether this error, of which little is known, can be characterized as data breach.