Amazon Confirms Employee Data Compromised in Third-Party Vendor Security Event
Amazon has recently confirmed that employee data was compromised following a “security event” at a third-party vendor. In a statement provided to JS by Amazon spokesperson Adam Montgomery, it was revealed that employee information was impacted by a data breach.
Montgomery stated, “Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, such as work email addresses, desk phone numbers, and building locations.”
Although Amazon did not disclose the exact number of employees affected by the breach, it was emphasized that the third-party vendor did not have access to sensitive data like Social Security numbers or financial information. Additionally, the vendor addressed the security vulnerability responsible for the breach.
The confirmation of the data breach comes in the wake of a threat actor claiming to have leaked data stolen from Amazon on BreachForums. The individual, operating under the alias “Nam3L3ss,” alleges to possess over 2.8 million lines of data obtained during the previous year’s mass-exploitation of MOVEit Transfer.
“What you have seen so far is less than .001% of the data I have. I have 1,000 releases coming never seen before,” the threat actor asserted.
Furthermore, cybersecurity firm Hudson Rock reported that “Nam3L3ss” has purportedly published data taken from 25 major organizations, including Amazon, McDonald’s, HSBC, HP, and potentially others. JS has reached out to these organizations for comment but has not received any responses yet.
The MOVEit breach, characterized by attackers exploiting a zero-day vulnerability in Progress Software’s file-transfer software, marked one of the largest hacks of 2023. Allegedly orchestrated by the Clop ransomware and extortion gang, the hacks impacted over 1,000 organizations, with notable targets including the Oregon Department of Transportation, the Colorado Department of Health Care Policy and Financing, and Maximus.
