Recently, Amazon India discovered a data breach that left exposed some of its sellers’ private financial information to other users. Read on to know more about Amazon’s latest data breach…
Amazon has again witnessed another data breach, but this time its at Amazon India. It was reported that the technical glitch was internal and exposed some of its sellers’ private financial information to other users.
Amazon sellers downloading their monthly financial reports (data of their sales through Amazon.in) were served with those of other vendors, leading to a breach of competitive businesses data.
The Data Breach
Sellers on Amazon India ecommerce platform were in for a surprise on Sunday when they were downloading their Merchant Tax Reports (MTRs) for the month of December 2018 from the website. They found that they could access the MTRs of several sellers other than their own. However, Amazon quickly stepped in and blocked the site and says the issue has been fixed since and reopened the web site.
“On Sunday, some sellers who attempted to download merchant tax reports for the month of December 2018 experienced a technical issue,” Amazon India said. “Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct reports.”
The merchant tax reports, that were accidently passed on to unintended recipients, contained data including sales, category-wise split and inventory data. If found by rivals, this could prove to be of material value to them and detrimental to the merchant whose data was outed, experts said. Such instances of data breach always have an impact on users’ trust.
It could not be determined immediately whether any number of Amazon sellers have raised a complaint yet.
Amazon India has 150 million registered users and around 4 million merchants sell on its platform.
Amazon India confirmed the incident and said that as soon as the breach came to its notice, technical teams were pressed into action to resolve the issue. However, Amazon did not reveal the numbers of sellers affected by the glitch. Though Amazon said it was able to contain the issue, unsolicited exposure of a firm’s data has spooked e-commerce users.
Amazon claims that only 400,000 sellers, which is 0.2% of the total number of sellers on Amazon were affected by the breach. The regular operations for downloading the MTRs resumed only late Monday evening, it is reported. Sellers chanced upon this anomaly when they were trying to download their reports from the site and found that what was being printed out was not their own but some other sellers’.
Amazon conceded that the flaw occurred due to a data breach. In real terms this is a failure in security since there is competition among sellers and disclosure of one seller’s details to the others is a compromising their data security.
Previous Data Breach
Data security breach reports from Amazon have a history. There was a report by an investigative journalist in the Wall Street Journal some time back which alleged that a few employees of Amazon in India and the US were in collusion with some merchants and leaking data, possibly for some monetary benefits. Amazon took action based on these reports and its own internal inquiry and sacked several employees in both countries.
There was another report in November last year that there was a security breach due to which some personal information of customers got leaked. Amazon.com faced a similar, but larger breach. It had said that an unknown number of email addresses were left exposed due to a technical error. Though it was resolved swiftly, Amazon had declined to share the number of users affected, the scope of the breach or what caused the error.
Data Protection Bill
At the moment, India does not have a provision for a user, whose data has been exposed, to recover damages from companies responsible for this.
A section in the draft Data Protection Bill, which is undergoing consultations and pruning, however, lays down directives for early disclosure of leaks and a mechanism to try cases pertaining to such lapses.
The Data Protection Bill is likely to be tabled in Indian Parliament in June 2019.