Thousands of the company’s customer service employees around the world are said to have had ‘free for all’ access to look up anyone’s purchase history.
The aim of the system was to speed up service, but some staff used their privileges to snoop on the buying habits of partners past and present as well as celebrities, former employees have alleged.
‘Hellish’ conditions, ‘spying’ on workers, ‘rigging’ search results: Jeff Bezos’ scandal-hit giant now holding the UK’s most sensitive secrets
Amazon has been mired in a raft of scandals since Jeff Bezos first founded the company from his garage.
Last year, claims emerged that it had hired operatives from a detective agency to spy on warehouse workers, track labour unionisation efforts and keep tabs on social justice groups.
Motherboard described a trove of internal Amazon reports that it said outlined the online retail giant’s ‘obsessive monitoring of organized labor and social and environmental movements’.
The reports leaked to Motherboard were written in 2019 by intelligence analysts with Amazon’s Global Security Operations Center, the security division that is responsible for protecting employees, vendors and assets at its facilities worldwide.
Amazon has also faced claims it underpays delivery drivers and tolerates hellish conditions in its warehouses. In 2018, ambulances were called to one of its UK warehouses once every two days as workers collapsed and suffered broken bones.
And this year, the retailer denied claims that they ran a systematic campaign to create knock-off versions of products listed on its website then manipulated search results to boost sales of them in India.
Despite such searches being against Amazon’s rules, a former customer service manager told Wired that ‘everybody did it’.
The revelations have been made public following an investigation by Wired and the Reveal radio show produced by the Center for Investigative Reporting, which is located in California.
They are based on interviews with ex-employees as well as memos and internal documents from 2015 to 2018.
One former Amazon worker, who has not been named, said he remembered his colleagues looking up the shopping history of rapper West and stars of the Marvel Avengers movies.
Another unnamed celebrity was found to have purchased sex toys, the ex-staff member added.
‘Unruly vulnerabilities’ allegedly allowed employees to start a ‘research session’ to look up a customer even when they were not on the phone.
Amazon’s former chief information security officer Gary Gagnon described the system as a ‘free for all’ that left the US technology giant at risk of ‘international threat actors’.
He told Wired that while he was with the company there was no internal system designed to prevent staff from abusing their access.
‘It was all put together with tape and bubblegum,’ Gagnon said.
Amazon said it had strict policies relating to accessing customer data and ‘strongly rejected’ the suggestion that abuse of these privileges is common.
An Amazon spokesperson told MailOnline: ‘Across 25 years in business, Amazon has an exceptional track record of protecting customer data and has invested billions of dollars to build systems and processes to keep data secure.
‘We have relentlessly high standards for security and privacy, and we continuously assess and implement new measures when we see opportunity to further strengthen our protections.
‘The claims made in the Wired story are based on information that is outdated and out-of-context and have absolutely no bearing on Amazon’s current security posture.’
It has also been claimed that in 2017 Amazon employees found that the names and American Express card numbers of up to 24 million customers had been left exposed on an internal network for two years.
The exposure was corrected but Gagnon said there was no way of knowing whether anyone had accessed the information while it was vulnerable to an attack.
This is because the logs of who had accessed the data only went back 90 days, something Gagnon said he was ‘astonished by’.
It has been claimed that one of the causes of the issues was because Amazon staff had a tendency to copy data and store it in various locations, according to a 2018 security memo, resulting in a ‘mostly undocumented proliferation of copies of their required data sets.’
Amazon insisted there was no evidence to suggest the data was ever exposed outside of the company’s internal system.
Cybersecurity firm Dashlane looked at 22 different websites and ranked them based on how secure they are and their login protocols.
One point was awarded for the presence of SMS/email authentication and a software token for of authentication but three points were awarded for the use of hardware tokens.
The cybersecurty firm considered anything less than full marks and the presence of all three security measures to be a fail.