Amazon recently confirmed that some of its employee data was compromised as a result of a security incident involving a third-party vendor. In a statement provided to TechCrunch by Amazon spokesperson Adam Montgomery, it was revealed that the breach involved employee work contact information such as work email addresses, desk phone numbers, and building locations. Amazon assured that its own systems, as well as those of AWS, remained secure and unaffected by the breach.
While the exact number of impacted employees was not disclosed, Amazon emphasized that sensitive data such as Social Security numbers or financial information was not accessed. Additionally, the unnamed third-party vendor responsible for the breach has reportedly addressed the security vulnerability that led to the incident.
The confirmation of the data breach follows a claim made by a threat actor known as “Nam3L3ss,” who stated that they had obtained and published data stolen from Amazon during a prior security breach involving MOVEit Transfer. The threat actor boasted about having over 2.8 million lines of data, with intentions to release more in the future.
According to cybersecurity firm Hudson Rock, the same threat actor has also targeted and stolen data from 25 other major organizations. The hacker’s claims suggest that only a small fraction of the total stolen data has been made public so far, hinting at more future releases.
The original MOVEit breach, which exploited a zero-day vulnerability in Progress Software’s file-transfer software, was described as the largest hack of the year 2023. This breach was orchestrated by the Clop ransomware and extortion group and impacted over 1,000 organizations, including government entities like the Oregon Department of Transportation, the Colorado Department of Health Care Policy and Financing, and Maximus, a major services contractor for the U.S. government.
While Amazon and other affected organizations are working to address the fallout from these security incidents, the larger implications of such breaches on data security and privacy continue to raise concerns. As cyber threats become more sophisticated and widespread, the need for robust cybersecurity measures and proactive defense strategies becomes increasingly critical for safeguarding sensitive information and preventing future breaches.
