It has failed to protect your data (link to original article in title)

· amazon,privacy,data,privid

ON SEPTEMBER 26, 2018, a row of tech executives filed into a marble- and wood-paneled hearing room and sat down behind a row of tabletop microphones and tiny water bottles. They had all been called to testify before the US Senate Commerce Committee on a dry subject—the safekeeping and privacy of customer data—that had recently been making large numbers of people mad as hell.

To prevent abuses like these, the European Union and the state of California had both passed sweeping new data privacy regulations. Now Congress, Thune said, was poised to write regulations of its own. “The question is no longer whether we need a federal law to protect consumers' privacy,” he declared. “The question is, what shape will that law take?” Sitting in front of the senator, ready to help answer that question, were representatives from two telecom firms, Apple, Google, Twitter, and Amazon.

Notably absent from the lineup was anyone from Facebook or Equifax, which had been grilled by Congress separately. So for the assembled execs, the hearing marked an opportunity to start lobbying for friendly regulations—and to assure Congress that, of course, their companies had the issue completely under control.

No executive at the hearing projected quite as much aloof confidence on this count as Andrew DeVore, the representative from Amazon, a company that rarely testifies before Congress. After the briefest of greetings, he began his opening remarks by quoting one of his company's core maxims to the senators: “Amazon's mission is to be Earth's most customer-centric company.” It was a stock line, but it made the associate general counsel sound a bit like he was speaking as an emissary from a larger and more important planet.

This article appears in the December 2021/January 2022 issue. Subscribe to WIRED. PHOTOGRAPH: TSE

DeVore, a former prosecutor with rugged features, made clear that what Amazon needed most from lawmakers was minimal interference. Consumer trust was already Amazon's highest priority, and a commitment to privacy and data security was sewn into everything the company did. “We design our products and services so that it's easy for customers to understand when their data is being collected and control when it's shared,” he said. “Our customers trust us to handle their data carefully and sensibly.”

On this last point, DeVore was probably making a safe assumption. That year, a study by Georgetown University found Amazon to be the second-most-trusted institution in the United States, after the military. But as companies like Facebook have learned in recent years, public trust can be fragile. And in hindsight, what's most interesting about Amazon's 2018 testimony is what DeVore did not say.

At that very moment inside Amazon, the division charged with keeping customer data safe for the company's retail operation was in a state of turmoil: understaffed, demoralized, worn down from frequent changes in leadership, and—by its own leaders' accounts—severely handicapped in its ability to do its job. That year and the one before it, the team had been warning Amazon's executives that the retailer's information was at risk. And the company's own practices were fanning the danger.

According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon's vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who's at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn't even map all of it, much less adequately defend its borders.

In the name of speedy customer service, unbridled growth, and rapid-fire “invention on behalf of customers”—in the name of delighting you—Amazon had given broad swathes of its global workforce extraordinary latitude to tap into customer data at will. It was, as former Amazon chief information security officer Gary Gagnon calls it, a “free-for-all” of internal access to customer information. And as information security leaders warned, that free-for-all left the company wide open to “internal threat actors” while simultaneously making it inordinately difficult to track where all of Amazon's data was flowing.

By the time DeVore started testifying about Amazon's long-standing commitment to privacy and security, the dangers that the security division had identified weren't just theoretical. According to Reveal and WIRED's findings, they were real, and they were pervasive. Across Amazon, some low-level employees were using their data privileges to snoop on the purchases of celebrities, while others were taking bribes to help shady sellers sabotage competitors' businesses, doctor Amazon's review system, and sell knock-off products to unsuspecting customers. Millions of credit card numbers had sat in the wrong place on Amazon's internal network for years, with the security team unable to establish definitively whether they'd been unduly accessed. And a program that allowed sellers to extract their own metrics had become a backdoor for third-party developers to amass Amazon customer data. In fact, not long before September's hearing, Amazon had discovered that a Chinese data firm had been harvesting millions of customers' information in a scheme reminiscent of Cambridge Analytica.

Another commandment that Bezos laid down in the company's early years was a ban on PowerPoint presentations, arguing that they encouraged shallow, distracted thinking. Instead, he ruled that Amazonians should present their reports to executives in the form of meaty, single-spaced memos—called six-pagers—to be read carefully and silently at the beginning of a meeting by all in attendance.

Over the past several months, Reveal and WIRED reviewed some of the confidential six-pagers that Amazon's information security chiefs prepared for submission to Jeff Wilke, then the CEO of Amazon's global consumer operation, along with general counsel David Zapolsky and chief financial officer Brian Olsavsky, between 2016 and 2018. This account is based partly on those memos, along with numerous other internal Amazon documents and communications dating back to 2015, as well as interviews with more than a dozen former Amazon data security and privacy staffers, many of whom spoke on the condition of anonymity because they feared retaliation, reputational damage, or legal threats for speaking openly.

For two decades of its early history, Amazon, like a lot of companies, outsourced the storage of its data to a third-party contractor, Oracle. But by the mid-2010s, Amazon's data warehouse there had ballooned to become the biggest Oracle database in the world—as much as 1,000 times bigger than any other, according to one Amazon estimate. It held a staggering 50,000 terabytes of information.

By then, Amazon had embarked on a massive, multiyear effort to transfer its Oracle-based data to a new internal system, housed on Amazon Web Services' own servers. (At one point, the guy in charge of that transition—a data warehousing expert named Jeff Carter—described his job in a public presentation by showing a photo of a few men changing the tires of a car tilted precariously on two wheels as it sped down the road.) But there was still data scattered in the wind, untagged, unmapped, untracked.

Amazon's system, a much later memo would say, “allows associates to quickly work on behalf of Amazon customers, but puts those same customers at risk from intentional abuse and unintentional exposure by employees and contractors who have been entrusted with elevated privileges.”

But in some ways, one of Amazon's most knotty sources of vulnerability was the information security division itself—and how ill-equipped, dysfunctional, and adrift it was, even as dedicated security staffers performed heroic feats against tall odds. In March 2016, the division's longtime chief, George Stathakopoulos, left for a job at Apple, which sent the team into several months of limbo. But the division's bouts of turmoil would go deeper and last much longer than that.

AROUND THE TAIL end of 2016, a guy named Gary Gagnon—a cybersecurity executive with decades of experience, primarily in federal government work—flew to Seattle to discuss becoming Amazon's new vice president of information security. His last interview of the day was with Wilke, the consumer CEO, who met Gagnon in a small conference room off of his modest office, dressed in a flannel button-down and jeans. The outfit was part of a tradition, Gagnon recalls Wilke explaining: He always dressed like a warehouse worker during the peak holiday shopping season, to remind folks at headquarters of the people who really kept Amazon churning.

Gagnon wasn't that eager for a new job, he says, but he was blown away by Wilke, and how humble he seemed for someone who commanded the largest online retail operation on earth. “OK,” Gagnon remembers thinking, “this is a guy I can work for.”

Everything went downhill from there. At an all-hands meeting in the beginning of 2017, Wilke introduced Gagnon as the security division's new leader, shocking some staffers who had been expecting the acting chief, a longtime insider, to get the job. When Gagnon gave his first speech to his team, his frequent use of the prefix “cyber-” instantly grated on some in the division, who regarded it as the tic of an East Coast government type. “It became a joke from day one,” says one former manager. Gagnon says a staffer later pulled him aside and duly advised him to lay off the term “cybersecurity.”

He inherited a team of 300-odd people but thought it should have probably been more like 1,000. But when he tried to beef up his staff, Gagnon soon found out that the frugality he'd admired in Wilke was going to pose a problem for him: Upon asking for more resources, he says, the consumer CEO usually turned him down. (Wilke could not be reached for comment.)

Amazon says it “will never sacrifice security for costs.” But in Gagnon's view, investment in information security was spare: “The budgets didn't align with the needs.” Some former security staffers echo him on this sense of austerity in the division. “I would tell new hires, ‘Assume your budget is zero and go from there. Just be as frugal as you can,’” says Ellie Havens, a former business operations manager on the security team.

A more fundamental problem facing Amazon, as Gagnon sized it up in his memo, was this: “We lack visibility into the data we are charged with protecting,” he wrote. “We do not systemically know the data flows and storage locations of sensitive data.

In security terms, the implication was obvious: If the team didn't know where all the data was, how could they make sure it wasn't leaked, stolen, or manipulated inappropriately? But Gagnon also saw another giant hazard on the horizon. In April 2016 the European Parliament had passed the General Data Protection Regulation, a sweeping consumer privacy law that would go into effect in 2018. After that, firms operating in Europe would be allowed to use people's data under a stringent set of conditions, and sometimes only with their consent. Companies would also be required to make it possible for customers to have their data deleted. “I don't know how the hell we're going to deal with that,” Gagnon remembers thinking, “because we have no idea where our fucking data is.”

It wasn't that executives like Wilke didn't care about keeping customer data safe, Gagnon says. “They did what they thought was enough,” he says. “They're making a ton of money. Their stock is going up ... They had no indications that any of the cyber stuff was going to affect their business.” Or at least, it hadn't yet.

Amazon's security division jumped into action, alerting Whole Foods and launching an investigation. Over the next few weeks, the team determined that a notorious group of Ukrainian cybercriminals had been inside parts of the Whole Foods corporate network since January. The attackers had control of 20 employee accounts with powerful levels of access. They had burrowed so deep that the Whole Foods team working on the breach had to be moved to an entirely different email system to communicate without fear of the hackers snooping, according to an internal memo.

His fate was sealed one night at a private dinner for the event's speakers. Precisely what happened there is under dispute, but Gagnon never returned to work for Amazon. The next day, he says, he was pulled into a video call with Treadwell back in Seattle, who told him to leave the conference and fly home. When he got back to the States, Gagnon says, he was told that what happened in London was “inexcusable” without receiving any additional detail. He was fired the following week, the company confirmed.

It wasn't. Around the time Carter arrived, a set of managers inside the information security division got together to quantify their alarm over the biggest dangers Amazon was facing. Each danger was assigned three scores: One for how badly it could affect the company, one for how likely it was to happen, and one for what power Amazon had to control it. Then those three numbers were multiplied together for a total risk score.

Amazon says these risks were “overstated.” But around that same time, yet another dire-sounding message issued from a unit inside the security division called the Security Operations Center, which was responsible for detecting and responding to attacks. A memo from the team warned that, because the group relied on humans to report problems when they came upon them instead of having an effective automated system to proactively search for evidence of a breach, an attacker could conceivably hide out in Amazon's network for years without being noticed.

Amazon claims this memo ignored “multiple compensating controls and fallback measures” that the company had in place to prevent intruders. Still, the document's urgency was palpable: “We can't scale with people, there are just not enough so we must scale with automation.” But automation, the memo went on, was “currently underfunded.”

As Carter settled into his new job, in short, the alarms sounding within the information security division were cranked up as high as they could go. Elsewhere in the company, meanwhile, another group of staffers had been boiling over with their own concerns about Amazon's handling of customer data.

GARY GAGNON WASN'T the only one who blanched at the thought of preparing the company to comply with Europe's GDPR. At a time when the world was growing increasingly concerned about tech companies' use of personal data—not just whether they kept it safe from cybercriminals, but how they themselves passed it around and milked it for profit—Amazon had only a small handful of employees who were officially charged with ensuring customer privacy across the organization. Most of them were clustered in the company's legal department under associate general counsel Bill Way. And throughout 2017 they struggled to advocate for privacy in a company that hated to slow down, where executives often seemed not to appreciate their efforts.

In May 2017, a senior engineer among this small group of staffers sent an email to Way sketching the general lay of the land: Addressing privacy issues around the company had become “a brutal game of whack-a-mole,” he wrote.

“I've had several conversations with internal employees that were not happy with the transparency and privacy practices of tools they were developing, but attempts to fix this were knocked down by leadership,” the engineer wrote. “Of course, these individuals have to take their career into account before fighting against their reporting chain too much on those issues, and it points to the need for a centralized privacy team to handle those escalations and battles.

Other tech giants, the engineer wrote, had more mature systems in place for working through complex privacy issues, and Amazon was falling behind. (Google, for instance, had scores of employees working on privacy.) “Without a privacy development team to own that work,” he concluded, “I'm not sure we are well positioned to catch up.”

In the fall of 2017, a different staffer—an Amazon compliance expert—wrote a memo to Way and others warning that the company could face multibillion-dollar fines over privacy issues if it didn't shape up. The memo argued that Amazon should aim to have more than 30 dedicated privacy staffers instead of just a handful, and said the company offered few to no resources for privacy training, the development of products for privacy, or data mapping. (That staffer later alleged that he was pushed out of the company in part for raising these issues, according to records reviewed by WIRED and Reveal. Politico EU also reported on allegations that the company punished staffers for raising security concerns. “Employees did not face retaliation,” Amazon says. “No employees left the company because they had raised concerns around data security regulation compliance.”)

Later that year, when members of Amazon's legal team tried to help the company up its privacy game, their efforts, too, were shot down. That December, a company lawyer polled a group of colleagues on whether Amazon should join the International Association of Privacy Professionals. Google, Facebook, Microsoft, Twitter, Oracle, and Salesforce had already become corporate members, giving hundreds of their employees access to its resources. A top-tier corporate membership cost $25,000.

But Andrew DeVore—the associate general counsel who would ultimately testify before Congress about Amazon's “long-standing commitment to privacy and data security,” and the most senior person on the chain—batted the idea away: “I don't think it's a particularly useful forum for us to achieve any broader privacy objectives.”

“Anyone—and in particular anyone who purports to have any real involvement in or understanding of privacy issues—who believes Amazon is ‘not interested in privacy issues’ is a complete and utter ignoramus,” he replied. “We wouldn't be here, and we would not have the incredible array of privacy protective products and services that we make available around the world, if we weren't absolutely privacy obsessed in all we do. We have been from day one, and it [is] still day one. So I hope, and fully expect, that all of you push back hard on that kind of crap.

As the May 2018 deadline for complying with GDPR drew closer, the issue of data privacy surged to the forefront of public attention—courtesy of the Cambridge Analytica scandal, which erupted that March. Suddenly morning news shows and nighttime comedy hosts were chewing over a convoluted story about a third-party developer who took liberties with data freely acquired through Facebook's application programming interface. In a matter of days, Facebook's market cap dropped by more than $35 billion.

Considering DeVore's testimony, Gary Gagnon has a hard time stomaching the claim that Amazon was well-aligned with GDPR and had privacy at its core. “It's all bullshit,” he says. “Complete bullshit.

IN THE SPRING and summer of 2018, Amazon looked like an unstoppable force with a brick on its accelerator. The company had over 575,000 global employees. Jeff Bezos had been declared the world's richest man, and Amazon was on the verge of becoming the world's second company, after Apple, to reach a value of $1 trillion. As Bezos reported in his annual shareholder letter that April, more than 100 million people around the world had become Prime members, and they were going bonkers for smart devices like Echo Dots and Fire TV Sticks—products that turned their daily lives into ever more Amazon data points.

Amazon's retail platform had long offered sellers a convenient program that allowed them to pull data about their customers. All they needed was a special key to tap into Amazon's interface, and they could unlock access to customers' information, including names, mailing addresses, phone numbers, the products they'd ordered, and the dates when they'd ordered them. The idea was that sellers could use all that data to manage their businesses, possibly by hiring their own software developers to build analytics tools.

How did AMZReview know those email addresses? The service, Amazon determined, was an offshoot of a Chinese analytics firm called TouchData, and it seemed to have obtained the customer emails from “other open and breached sources” of data on the internet. From there, it had ways of matching addresses to Amazon reviews, with a modest success rate. In all, AMZReview obtained access keys from 92 different sellers, allowing it to pull all of their customer information from Amazon's system. It claimed to have information on 16 million Amazon customers. (The intel team said it was able to verify only that AMZReview had likely harvested the information of 4.8 million. TouchData denies that it was ever connected to AMZReview, which is no longer active.)

When the risk intel team first reported the discovery up the chain, “the color was draining from people's faces,” says one person involved in the meetings. “It was a fucking shitstorm.”

The problem was far bigger than just AMZReview, which was only one player among many that could harvest data from the information Amazon gave to sellers. Merchants accessed billions of customer orders through Amazon's interface with little oversight. The largest third-party developer had access to a billion orders. Sure, there were rules for how sellers and developers were supposed to use the system. But it appeared, the memo said, that more than half of the third-party developers the company had researched were violating Amazon's terms of service. A former staffer familiar with the details says that most were probably legitimate businesses. But still, the former employee adds, “there was a massive hole. It was really unmitigated.”

The memo said Amazon had been “oversharing” customer details, handing out many different kinds of data points, often without regard to what sellers actually needed. And Amazon had “no way of knowing,” the memo said, if the data was being accessed by actual sellers or by third-party companies who were doing who knows what with it. The companies could be selling the data outright or using it to create targeted marketing aimed at Amazon customers. “We believe such use could violate customer trust if customers understood what was happening,” it said.

Amazon's leaders wanted the problem solved, and fast. The memo set forth a plan: Amazon would limit the data shared with sellers. It would regularly audit the companies that were pulling data to catch any misconduct. As for the massive amount of data that had already leaked out, they decided to simply ask the biggest companies to please get rid of their historical data on Amazon customers. Amazon says it used external audits to make sure the data was trashed.

“The biggest concern was just optics,” says a former Amazon employee who had knowledge of the situation. “If it had come out that that was happening? All that embarrassing shit that you ordered on Amazon, there's some Chinese company that could pin down the date you bought it? Obviously they wouldn't want anyone to know about that.”

Some people involved couldn't help but think of the still-broiling Cambridge Analytica scandal. But while Facebook got publicly barbecued, Amazon dealt with AMZReview quietly. Some privacy advocates say the company should have come clean. “They should have said, ‘Here's what is going on, here's what we did to fix it, and here's what we know about who got their hands on your data,’” says Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation.

Amazon says there's nothing to see here. “There was not a data leak,” says company spokesperson Jen Bemisderfer. “We have strict policies and contractual terms in place that prohibit the misuse of customer data by sellers and service providers, and we continuously monitor and audit our systems to detect misuse and enforce our policies.” When Amazon discovered companies abusing their access, it cut them off, she says. Amazon also invested in an outside auditor to make sure companies comply. As for how many customers had their information shoveled up by companies misusing the system, Amazon had “no response.

As bad as it was, AMZReview wasn't the only problem the company discovered that May. At almost exactly the same time, Amazon's security division learned that several Amazon accounts belonging to employees in China had been used to bypass controls in the company's customer service platform. According to an internal memo, those accounts had then changed the email addresses attached to some 36,000 customer profiles, a move that would have allowed the attackers to take over the customer accounts and use them for fraud. Eight employees, including an IT engineer, were potentially involved and appeared to be in league with Chinese companies that provide services to Amazon sellers. Several employees were fired, according to the memo, and a technology team corrected the vulnerability that had been used to change email addresses within days of its discovery.

The security division also learned that someone inside Amazon's system had logged in to 6,581 customer accounts and deleted reviews they'd written. The two incidents appeared related. Someone was gaming one of the world's biggest marketplaces, and they had inside help.

When Jeff Carter—the new security chief who didn't have security experience—was ready to submit his first quarterly six-pager to senior execs in July 2018, he started by capturing the still-bedraggled state of the security division. “Through various management transitions, there has been a breakdown in trust amongst teams within the InfoSec organization, which has impacted teamwork, morale, productivity and retention,” he wrote in the memo. While everything else about Amazon seemed to be growing exponentially, the security team had lost even more people. At 345 staffers, it was down 100 from its budgeted headcount.

Carter went on to sound many of the same alarms that his predecessors had: Amazon still didn't know where all of its data was. The company still didn't have nearly enough capacity to detect threats automatically. And it still gave its employees far too much access to sensitive customer data. The difference was that for Carter, the danger posed by Amazon's own employees—“the ability for a rogue employee to abuse internal systems for their own purposes,” as he put it—had now become a vivid reality. And it would only become more grotesquely so as 2018 dragged on.

WHEN ANNA LAM was a young girl growing up on the Pacific island of Nauru, her mother would sometimes drop a piece of cool-green jade into a cup of herbal tea to calm her childhood fears. As a middle-aged adult living in New York City decades later, Lam started a business selling beauty products, some of them made from the same green semiprecious stone. Her most popular item on Amazon was something called a jade roller: a small cosmetic tool that looks a bit like an attractive miniature paint roller, designed for massaging one's face. To market the product under her brand, GingerChi, Lam put up some artfully staged close-ups of her own daughter using one of the rollers.

“The color was draining from people's faces,” says one person involved in the meetings. “It was a fucking shit storm.

Jade rollers have an ancient Chinese pedigree, but in the mid-2010s it was their cachet on Instagram that made them hugely popular. By the fall of 2017, the living room of Lam's apartment was cluttered with boxes for shipping her rollers to customers. That's when she first noticed something weird on Amazon: Her daughter's face had shown up on a listing for someone else's jade roller. A rival seller called Krasr had grabbed Lam's photos to help sell their own copycat product. Lam reported the apparent violation to Amazon, and the photos were taken down.

That spring, mysterious sellers on Amazon started issuing copyright infringement complaints against Lam, which prompted Amazon to suspend her account. She tried emailing her accusers but never heard back, so she suspected that Krasr was behind the complaints. Krasr had also relaunched his own jade roller with a marketing push.

When Lam finally managed to get her account reinstated, months later, her own Amazon listing seemed to turn against her, as if possessed: Customers would order a GingerChi jade roller, but they would sometimes receive a Krasr-branded roller in the mail instead, and their credit card payments would go to Lam's rival. The Krasr rollers looked similar to Lam's product, down to the cloth bag and informational insert, but they were sometimes defective. So Krasr got the sale, customers got an off-putting bait-and-switch, and Lam got the bad reviews. (“Everything about this is suspicious,” one GingerChi reviewer wrote after receiving a Krasr-branded roller that didn't roll.)

With time, the hijackers on her listing multiplied: A rotating cast of other sellers purported to offer her GingerChi jade roller right from her own page. One of them was mockingly named KingerChi. Lam tried to enlist Amazon's help. She'd order the rollers off her page, take pictures showing they were not hers, and send complaints to Amazon. After a long wait, one or two sellers peddling copycat rollers disappeared, but others would pop up, stealing her orders. Lam hired lawyers to write pleading letters to the company. By now she was losing money, had laid off an employee, and worried her business would go under. After a while, she couldn't help but think that Amazon simply didn't care.

Krasr, after all, had been the subject of a long exposé on CNBC in the fall of 2017. The story identified Ali by name and described how, for more than six months, Krasr had attacked a Los Angeles–based skin care business, seeming to infiltrate and sabotage its Amazon account in a series of moves that were sometimes uncannily similar to what was now happening to Lam. The story quoted hectoring text messages from a Krasr representative to the seller, claiming to be the “virus of Amazon” and threatening war.

Amazon's response to the story was to quote corporate scripture, saying that the company “is constantly innovating on behalf of customers and sellers” and that it moves quickly whenever it detects bad actors abusing its systems. And yet almost a year after the CNBC story appeared, Krasr was still attacking Lam with impunity.

The man behind Krasr, meanwhile, seemed to be living large. Ali—or Zim, as he called himself—was in his early twenties at the time, getting a computer science degree at the University of Toronto. His Instagram account showed a confident, fashionable young man with a penchant for world travel, scuba diving in one post and riding a camel in another. At one point he attended a conference designed to help Canadian businesses tap into Chinese ecommerce, where he snapped a photo of Canadian prime minister Justin Trudeau onstage. (Ali did not respond to multiple requests for comment.)

As he targeted GingerChi, Krasr ran a smorgasbord of other product lines, hawking everything from ultrasonic pest-repellent devices to anti-snoring aids on Amazon. Some of his customers left reviews saying they were offered money or freebies to delete bad reviews. Lam didn't understand how Amazon let him get away with attacking sellers for so long. Surely Krasr had to be on the company's radar.

Lam didn't know, of course, how patchy Amazon's radar actually was. But Krasr eventually caught the company's attention. In November 2018, Krasr featured prominently in one of the security division's memos, a draft of Carter's quarterly six-pager to Wilke and other top execs. The security team had uncovered the disturbing secret of Krasr's success: He had moles inside of Amazon. “This seller recruited our employees over LinkedIn and Facebook,” the memo said. Over a series of years, these insiders had received approximately $160,000 in payoffs. In return, they used their access privileges to offer him godlike powers over the platform and any seller he wished to target.

Krasr's moles leaked him information on customers and their orders, shared internal business reports, and handed over information on best-selling products so Krasr could copy them (a move that Amazon itself has been accused of using to beat out its independent sellers). At Krasr's direction, they would reinstate accounts that had been suspended for illicit activity. And at times they would block sellers who were in good standing, just so that Krasr—in the manner of a ransom scheme—could offer to help.

The disturbing secret of Krasr's success: He had moles inside of Amazon. “This seller recruited our employees over Linkedin and Facebook,” the memo said.

According to Carter's memo, Amazon had caught seven of the employees who were working with Krasr, and they had spilled their secrets. All of them had been fired. But Krasr himself proved elusive. Amazon had referred him to the FBI, the memo said. “We believe Krasr is traveling between Toronto and Thailand and have retained a private investigator to confirm his whereabouts,” the memo stated. (“Any marketplace with a good amount of activity is going to have bad actors try to take advantage,” says Bemisderfer.)

Krasr had finally rattled Amazon's security leaders, but he wasn't an isolated case. The team also discovered an employee in China who had shared confidential information with a data broker, who then sold it on the Chinese messaging service WeChat, according to the memo. Plus they found an employee in China who offered a bribe to an employee in India to help certain sellers.

To make matters worse for Amazon, word of the company's corruption problem was beginning to get out. In fall 2018, The Wall Street Journal reported that employees there were slinging data for cash and that one was fired for leaking customer emails to a seller.

In response to the Journal stories, Amazon launched an internal project, codenamed Glass Door, to develop ways to fix the problem. But security leaders weren't particularly optimistic: “These threat actors are financially motivated and will remain persistent at acquiring our data,” a draft of a memo from Carter to Amazon's execs said, “until the financial burden on the attacker is greater than their financial gain.

IN JANUARY 2020, after just over a year and a half in the role, Carter left his job running Amazon's information security department. His exit sent the division into yet another several months of floundering without a chief.

Amazon eventually hired John “Four” Flynn to fill the role. Flynn arrived from Uber, where he had served as chief information security officer during a period when employees there were using their data privileges to track the movements of ex-girlfriends and celebrities like Beyoncé. Those abuses came to light not because Uber disclosed them but because a whistleblower filed a lawsuit against the company—and alleged, in that suit, that he was fired in part for raising his concerns with Flynn. (Uber said it maintains strict policies to protect customer data and that it fired fewer than 10 employees for improper access. The lawsuit ended in a settlement.)

Flynn was also at Uber when the company hushed up a massive hack of user data. Around the time Flynn was hired at Amazon last year, his old boss at Uber, security chief Joseph Sullivan, was indicted for allegedly paying off hackers to keep the data breach hidden from the public and federal authorities. Flynn, who hasn't been accused of any wrongdoing, testified before Congress that he wasn't involved in the payout. “I think we made a misstep in not reporting to consumers,” he told lawmakers. “And I think we made a misstep in not reporting to law enforcement.

At Amazon, Flynn inherits some of the same problems that plagued Carter. Shady online services still openly advertise their ability to provide insider access for a fee. Many promise to provide internal screenshots of Amazon's system, one advertising them for $175, or customer emails. Photos of a laptop open to Amazon's internal seller support portal, reviewed by Reveal and WIRED, showed the location data of the exact spot in India where the images were taken last year.

In September 2020, federal prosecutors indicted six people in a scheme to bribe Amazon employees, saying the conspiracy had continued from at least 2017 to 2020. The trial is slated for next year. Some industry consultants say the problem of employee corruption is as bad as ever. But Amazon says it strongly rejects the notion that it has a problem with bribery.

Amazon also told Reveal and WIRED that it would “continue to enforce and remove seller accounts who have relations with Mohamed Multhazim Akbar Ali should any of these surface in the future.” But in fact, Krasr has been back in action for some time. Ali has a new company, ZB Ventures, which Reveal and WIRED were able to connect to more than 20 brands peddling everything from beard straighteners to massage guns on Amazon (some even earning an “Amazon's Choice” label). The brands' product pages are also littered with reviews from customers who say they were promised free upgrades in exchange for positive reviews—a practice that violates Amazon's policies.

Ali himself is still in the wind. “I have over 8 different online businesses which are mostly automated,” he says in his profile on the Couchsurfing social network, “so I'm free most days to help, explore, and enjoy life.”

Amazon's security division carries a much heavier burden. Bemisderfer writes that the memos and emails discussed in this article are “old documents” that “do not reflect Amazon's current security posture,” and some security staffers who have left the company tend to agree. The division is making some progress, they say. Amazon's systems for automatically detecting threats—an area where the company says it has made investments—are indeed constantly improving. The company says it has made significant investments in tools that identify “where personal data is stored and how it flows” and procedures that give employees “access to only the data that is critical to complete a particular assignment.” But on the whole, former employees say, the security division is still adrift.

 

“It's going to take forever to turn that ship,” says one former security manager. What Amazon does well is build new things quickly, the former manager says; what it doesn't do well is solve complex problems that take multiple teams and years to address. Meanwhile, the bloodletting continues, as the division keeps losing experienced security pros through attrition. The lineup of executives who receive Flynn's six-pagers has also changed: Jeff Wilke retired from Amazon in March 2021.

Meanwhile, Amazon's vast attack surface of customer data, and its potential pool of “internal threat actors,” have both grown at a rate that is nearly incomprehensible. Just since DeVore's testimony in 2018, the company has doubled its number of Prime members, to 200 million. It has also more than doubled its number of employees worldwide, to nearly 1.5 million.

The company has achieved huge scale in another sense as well: In August 2021, true to the warnings of Amazon's privacy staffers, officials in Luxembourg levied $883 million in fines against the company for GDPR violations, a penalty more than twice as large as all prior GDPR fines against other companies put together. (Amazon says the decision relates to the advertising that it shows European customers. The company strongly disagrees with the ruling and is appealing it.)

Still, public faith in Amazon has remained high. In July 2020, a year before he too stepped down as CEO, Jeff Bezos testified before Congress for the first time ever, to defend Amazon against growing antitrust sentiment in Washington. (In a social media post before the hearing, Ali scoffed at the idea that lawmakers would ever rein Bezos in. “He's definitely above the law,” the man behind Krasr wrote. “Nothing can be done about it.”) In his opening remarks to Congress, Bezos nodded to some of the now-plentiful studies that find Amazon to be one of the most trusted institutions in America. “Who do Americans trust more than Amazon to do the right thing?” he asked the committee. “Only their doctors and the military.” But as he added in his statement, “Customer trust is hard to win and easy to lose.” Is Amazon worthy of it?

 

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OK