On Monday, a series of headlines popped up screaming that Amazon employee data was stolen. While there was data “stolen,” these headlines are the worst kind of click-bait, and we’re going to need to dive a bit deeper into the stories (like this one from TechCrunch) to spell out what happened, and why it is nowhere near as bad as those headlines sound.
First, what happened. Sometime in the last week or so, a third-party building contractor that Amazon works with had its systems compromised by a threat actor. The attacker used the moveIT vulnerability that made the news last year to intercept files which were being transferred back and forth between the contractor and many of their customers. Included in that set of files were – apparently – some files detailing Amazon employees who worked at facilities managed by the contractor. All of this appears to be true as of Monday evening, and I’m not seeing any reason to doubt the authenticity of the attack itself.
Now, why this is becoming click-bait…
While many websites are screaming that Amazon employee data was stolen – and while that is technically true – it wasn’t Amazon who got compromised and the data that was stolen was already public information anyone could get. Based on reports coming in, what was “stolen” from Amazon was a list of employees who worked in the various buildings managed by the contractors, the desk phone numbers of those employees, other non-sensitive contact information (like their email addresses), and – of course – what buildings they work in. All of this information can be obtained quickly and effectively by looking at social media, publicly available website info, or a whole host of other places. It’s already public, and didn’t need to be stolen at all, and is mostly useless to the threat actor except for embarrassing the facilities management firm. Amazon certainly has no reason to pay a ransom or do… well… anything.
So, yes, Amazon employee data was accessed without authorization. That data included general contact information and other details. All of this data could be acquired through dozens of other methods that are in no way threat activity because they revolve around just accessing publicly available websites and feeds.
Always take the headlines with a grain of salt – read the whole article to find out what really happened. While outright hyperbole on this scale is rare (usually the attack is worse than the headline makes it out to be), it does still happen. To their credit, each of the actual stories I read that used one of these really outrageous headlines did detail what happened, but nearly none noted that the data was basically already visible to anyone who wanted to see it.
Hang in there, and remember to always question what you’re reading when a headline is screaming at you.