Amazon has confirmed a data breach involving employee information, highlighting vulnerabilities associated with third-party vendors. The Amazon data breach came to light after reports emerged of a “security event” impacting one of Amazon’s property management vendors. Although Amazon and AWS’s core systems remained secure, the breach has raised concerns about data handling practices and third-party security protocols.
Dissecting Amazon Data Breach
An Amazon spokesperson, Adam Montgomery, disclosed that a breach involving employee data had indeed occurred. The breach stemmed from a third-party property management vendor, affecting multiple clients, including Amazon. The exposed data primarily involved work-related contact information, such as employee email addresses, desk phone numbers, and building locations. Fortunately, more sensitive data, such as Social Security numbers or financial details, were not accessed, and the vendor has since patched the security vulnerability that led to the breach.
Amazon has not revealed the number of employees impacted, but the breach aligns with a larger cybersecurity trend that emphasises the risks posed by third-party vendors. Reports from cybersecurity firm Hudson Rock indicate that a threat actor named “Nam3L3ss” claimed to have leaked stolen data from Amazon and other major organizations on BreachForums. The scale of the data exposed allegedly surpasses 2.8 million lines.
MOVEit Transfer Exploitation
The Amazon data breach is part of broader security incidents tied to third-party platforms, including the mass exploitation of MOVEit Transfer. The MOVEit breach, one of the most powerful cyberattacks of 2023, saw attackers exploit a zero-day vulnerability in Progress Software’s file-transfer system, impacting over 1,000 organizations. High-profile victims included government agencies and corporations, with data records numbering in the millions.
These breaches, attributed to the infamous Clop ransomware and extortion group, affected over 1,000 organizations. Notable victims included the Oregon Department of Transportation, with 3.5 million records compromised; the Colorado Department of Health Care Policy and Financing, which saw four million records exposed; and U.S. government services contractor Maximus, with 11 million records impacted.
Read more: Law Firm Orrick Data Breach Exposes Sensitive Information of Over 637,000 Customers