Amazon has confirmed that a security incident at a third-party vendor compromised employee data, impacting the information of its workforce. Amazon spokesperson Adam Montgomery provided details on the breach, noting that while Amazon’s own systems, including those of Amazon Web Services (AWS), remain secure, the vendor’s breach involved employee contact information like work email addresses, desk phone numbers, and building locations. He emphasised that no other Amazon information was impacted.
“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations,” Montgomery explained in a statement to TechCrunch.
Also read: Amazon asks employees to come to office 5 days a week or look for other jobs
Amazon declined to specify the number of employees affected, although it did confirm that the breached vendor lacks access to sensitive data such as Social Security numbers or financial information. According to Amazon, the third-party vendor responsible for the security lapse has since resolved the vulnerability.
The breach was first brought to light when a threat actor, using the alias “Nam3L3ss,” claimed to have leaked data allegedly taken from Amazon on BreachForums, a notorious site in the hacking community. The hacker alleges possession of over 2.8 million lines of data, reportedly accessed through the exploitation of a vulnerability in the MOVEit Transfer system last year.
Cybersecurity firm Hudson Rock reported that the threat actor allegedly posted data related to Amazon and 24 other major organisations. The hacker also claimed that what had been leaked so far represented less than 0.001% of their total stolen data, with a promise of further releases ahead.
The MOVEit breach, which resulted in widespread exploitation by the Clop ransomware group, marked one of the most significant cyber incidents of 2023. The incident affected over 1,000 organisations, including high-profile entities like the Oregon Department of Transportation, which reported 3.5 million records stolen; the Colorado Department of Health Care Policy and Financing, with four million records breached; and U.S. government contractor Maximus, which suffered the loss of 11 million records.