A recent data breach tied to Amazon highlights the ongoing risks of third-party software vulnerabilities in safeguarding employee information. Amazon has admitted to a data breach that exposed the email addresses, phone numbers, and building locations linked to employees. Amazon spokesperson Adam Montgomery said the company was “notified about a security event at one of […]
A recent data breach tied to Amazon highlights the ongoing risks of third-party software vulnerabilities in safeguarding employee information.
Amazon has admitted to a data breach that exposed the email addresses, phone numbers, and building locations linked to employees.
Amazon spokesperson Adam Montgomery said the company was “notified about a security event at one of our property management vendors that impacted several of its customers, including Amazon.”
The admission came following a report from the cybercrime firm Hudson Rock saying that information released on the hacking forum BreachForums included data from Amazon and 25 other organisations, including MetLife, HP, HSBC, and Canada Post.
Amazon declined to say how many employees were involved but said that the unnamed third-party vendor didn’t have access to sensitive data such as Social Security numbers or financial information.
It added that the security vulnerability responsible for the data breach had been fixed.
According to Hudson Rock, the original data breach, dated back to May 2023’s infamous MOVEit file transfer system cyberattack, includes 2.8 million Amazon data records.
Boots, BA and BBC MOVEit attacks attributed to Clop cyber gang
“The MOVEit vulnerability, discovered in mid-2023, exposed a critical flaw in the widely-used file transfer software, allowing hackers to bypass authentication and access sensitive data.
“This exploit was quickly weaponised, leading to numerous high-profile breaches across industries as attackers exfiltrated confidential employee and customer information from vulnerable systems,” said Rock.
Commenting on the breach, Joe Silva, CEO of cybersecurity firm Spektion, said: “This reinforces how third-party software remains one of the largest and least manageable cybersecurity risks organisations face, including large and technically sophisticated enterprises.
“By the time any company reacts to third-party software risks and vulnerabilities, they’re already being actively exploited while just being publicly disclosed. It’s time for a new approach to address our software supply chain.
“Security teams need to focus on a proactive approach to their third-party software by shifting left and leveraging data that enables quick, accurate, and actionable software risk assessments before they’re exploited.”
