Amazon.com Inc. said it mistakenly shared customer data with undisclosed parties, a privacy misstep by the world’s biggest online retailer heading into its busiest time of year.
The company on Wednesday emailed an undisclosed number of customers to report that their emails and names were inadvertently shared due to a technical error that has since been fixed. It also told customers that changing passwords wasn’t necessary.
“We have fixed the issue and informed customers who may have been impacted,” Amazon said in an email, declining to provide further details on who received the private information.
Whether Amazon faces government investigations and fines for the error depends on where the customers live, said Marc Rotenberg, president of the Electronic Privacy Information Center, an independent research group. In the U.S., the Federal Trade Commission has been reluctant to probe potential privacy violations, but the European Union would likely investigate and levy fines if any of the data shared was from customers in its jurisdiction, according to Rotenberg. The FTC declined to comment.
“Under the European approach, this appears to violate a fundamental data protection obligation,” he said. “That will lead to an investigation and likely a fine.”
Online holiday sales will top $124 billion this year, up 14.8 percent from a year earlier, according to Adobe Inc. Thanksgiving, Black Friday and Cyber Monday will be among the biggest spending days in the U.S.
Amazon should have provided more information about the nature of the problem and advised shoppers to be on alert for email “phishing” scams that could result from their contact information being shared, said Andy Norton, a director at cybersecurity firm Lastline Inc.
“This could be viewed as one of the worst breach notes in history,” he said. “It is creating confusion and uneasiness, and creating more questions than answers, when it should have done the opposite.”
Target was the victim of a high-profile data leak during the 2013 holiday shopping season, when hackers stole credit- and debit-card data, as well as personal information, for tens of millions of customers. That dented sales and triggered a stock slump that contributed to the ouster of Chief Executive Officer Gregg Steinhafel.