4,700 Amazon employees had unauthorized access to private seller data | Ars Technica
4,700 Amazon employees had unauthorized access to private seller data
Shoddy security allowed various employees to use info to their advantage.
TIM DE CHANT - 5/4/2021, 4:44 PM
Thousands of Amazon employees, including those who developed private-label goods for the e-commerce giant, enjoyed years of access to sensitive third-party seller data, according to a new report.
An internal audit in 2015 traced the issue to lax security protocols, including the use of a tool called “spoofer access,” which allowed Amazon employees to view and edit accounts as sellers. The employees had access to profile information, inventory levels, product pricing, and even the ability to cancel orders. The audit, obtained by Politico, says that spoofer access was available to employees from around the world and persisted until at least 2018.
At least one employee used the security lapses to their advantage. “We identified one Vendor Manager who inappropriately reviewed a Seller’s on-hand inventory to improve the likelihood and timing of the Vendor Manager winning buy-box,” the audit said. The "buy box" is the main “Buy” button that appears on a product page on Amazon. Various sellers compete for opportunities to “win” the buy box, giving them access to easy sales by making it more likely that orders will be fulfilled from their inventory.
“There was an access control system that allowed people who had the motivation to be good at their job to take data they weren’t supposed to have,” one Amazon IT security professional told Politico. Compliance, the person said, was not high on Amazon’s list of priorities unless there was a strong business case supporting it.
Advertisement
Amazon's slipshod security and compliance practices appear to explain a Wall Street Journal report saying that Amazon employees used third-party seller data to inform the development of Amazon’s own private-label products. In one case, Amazon employees pored over details about a third-party car trunk organizer that topped the bestseller list. They studied sales figures, marketing and shipping costs, and Amazon’s cut of each sale. Later, Amazon introduced an organizer of its own that competed directly with the third-party product. Amazon told the WSJ that such acts were violations of an internal policy.
Amazon CEO Jeff Bezos told Congress about the policy last year, though he made sure to qualify his statement, saying, “I can’t guarantee you that that policy has never been violated.” Though in testimony to Congress, Nate Sutton, the company’s associate general counsel, was less equivocal. “We don’t use individual seller data directly to compete” with third-party sellers, he said.
Amazon is not the only retailer to sell its own products alongside competitors. Grocery stores and big-box retailers frequently do the same, since profits are fatter on those sales compared with sales of others’ products. Amazon, though, reportedly has far greater amounts of data about third-party sales at its disposal. When developing new products or refining existing ones, other private-label businesses do not enjoy the same advantages.
Shoddy security allowed various employees to use info to their advantage.
TIM DE CHANT - 5/4/2021, 4:44 PM
Thousands of Amazon employees, including those who developed private-label goods for the e-commerce giant, enjoyed years of access to sensitive third-party seller data, according to a new report.
An internal audit in 2015 traced the issue to lax security protocols, including the use of a tool called “spoofer access,” which allowed Amazon employees to view and edit accounts as sellers. The employees had access to profile information, inventory levels, product pricing, and even the ability to cancel orders. The audit, obtained by Politico, says that spoofer access was available to employees from around the world and persisted until at least 2018.
At least one employee used the security lapses to their advantage. “We identified one Vendor Manager who inappropriately reviewed a Seller’s on-hand inventory to improve the likelihood and timing of the Vendor Manager winning buy-box,” the audit said. The "buy box" is the main “Buy” button that appears on a product page on Amazon. Various sellers compete for opportunities to “win” the buy box, giving them access to easy sales by making it more likely that orders will be fulfilled from their inventory.
“There was an access control system that allowed people who had the motivation to be good at their job to take data they weren’t supposed to have,” one Amazon IT security professional told Politico. Compliance, the person said, was not high on Amazon’s list of priorities unless there was a strong business case supporting it.
Advertisement
Amazon's slipshod security and compliance practices appear to explain a Wall Street Journal report saying that Amazon employees used third-party seller data to inform the development of Amazon’s own private-label products. In one case, Amazon employees pored over details about a third-party car trunk organizer that topped the bestseller list. They studied sales figures, marketing and shipping costs, and Amazon’s cut of each sale. Later, Amazon introduced an organizer of its own that competed directly with the third-party product. Amazon told the WSJ that such acts were violations of an internal policy.
Amazon CEO Jeff Bezos told Congress about the policy last year, though he made sure to qualify his statement, saying, “I can’t guarantee you that that policy has never been violated.” Though in testimony to Congress, Nate Sutton, the company’s associate general counsel, was less equivocal. “We don’t use individual seller data directly to compete” with third-party sellers, he said.
Amazon is not the only retailer to sell its own products alongside competitors. Grocery stores and big-box retailers frequently do the same, since profits are fatter on those sales compared with sales of others’ products. Amazon, though, reportedly has far greater amounts of data about third-party sales at its disposal. When developing new products or refining existing ones, other private-label businesses do not enjoy the same advantages.