https://www.politico.eu/article/data-at-risk-amazon-security-threat/
By Vincent Manancourt
February 24, 2021 11:05 am
YOUR ORDER HISTORY. Your credit card information. Even your intimate health data.
Amazon is amassing an empire of data as the online retailer ventures into ever more areas of our lives. But the company's efforts to protect the information it collects are inadequate, according to insiders who warn the company's security shortfalls expose users' information to potential breaches, theft and exploitation.
The warnings about privacy and compliance failures at Amazon come from three former high-level information security employees — one EU-based and two from the U.S. — who told POLITICO they had repeatedly tried to alert senior leadership in the company's Seattle HQ, only to be sidelined, dismissed or pushed out of the company in what they saw as professional retaliation.
•••••
Put together, their accounts paint a picture of a corporate culture at Amazon that they say prioritizes growth over other factors, such as the security of customers' information, compliance with rules designed to safeguard that data and the careers of employees the company hired specifically to flag problems.
“Imagine if a company the size of Amazon had a breach? The issue is millions of people's personal identifiable information is at risk,” the first former U.S.-based information-security employee said.
•••••
Garfield Benjamin, a British academic who has previously written about Amazon’s privacy lapses, said that the company's "disregard for privacy and security" was indicative of a "big problem."
“It seems bizarre — although perhaps unfortunately all too common — that a company so intent on making data its primary business should have such poor practices,” Benjamin said when shown POLITICO’s findings. He added, "Is their hubris so great, their assumed power so unassailable, that they see themselves as completely untouchable?”
The consequence for consumers is more than potential loss of trust in Amazon's privacy and security practices. The company's practices leave it vulnerable to potential breaches or hacks that could put highly sensitive information into the hands of malicious actors.
[My guess is they don't want to spend the money needed for good security.]
•••••
“The quality of the controls that Amazon has in place is appalling. We found hundreds of thousands of accounts where the employee is no longer there but they still have system access,” said the first former U.S.-based employee, adding that such a vast number was possible because of Amazon's massive workforce and rapid staff turnover. Amazon said it has strict procedures in place when employees leave the company that remove their access.
•••••
Weak controls mean the company may not even detect a hack. An internal Amazon memo seen by one of the former employees from June 2018 deemed there was a “very high” possibility of critical financial loss or reputational damage to the business because of the company’s “inability to identify adversarial events.”
•••••
AMAZON PUTS GREAT STOCK in its 14 "leadership principles," which every employee is supposed to follow, and against which they are measured. The principles include "customer obsession," "are right, a lot," "frugality" and "earn trust." All the former employees said they felt those principles were used against them in retaliation for highlighting issues with compliance or security.
For instance, those seeking funding would sometimes come up against senior managers citing the need for "frugality."
•••••
ALL THE EMPLOYEES WHO SPOKE TO POLITICO attributed the company being unwilling to fix issues or deliberately hiding them most directly to a strata of management that sits between the highest levels of the company — which includes vice presidents, senior vice presidents and Jeff Bezos himself — and the rest of the company.
They said that a “cut throat” competitive culture meant that there was jostling in the mid-level layer directly above them for promotions and funds. This meant that there was pressure to report wins over losses and downplay issues within the company — as well as to regulators.
•••••
No comments:
Post a Comment