Three former high level security employees of Amazon have sounded the alarm over the company’s lax information protection practices and revealed that, despite alerting company officials, were shunned by their superiors.
As the biggest ecommerce company in the world, a major player in the digital ad industry and its cloud computing service, Amazon holds access to an unfathomable amount of personal data yet does little to ensure that this information remains safe from malicious actors.
POLITICO spoke with three company whistleblowers who mentioned that they had repeatedly tried to bring this concern to Amazon’s leadership yet were constantly rebuked.
Whistleblower #1 [US]
“Imagine if a company the size of Amazon had a breach? The issue is millions of people’s personal identifiable information is at risk,” one former US based information security employee told POLITICO.
“Amazon’s information technology general controls, considering my experience and where I’ve been in the past, would not have passed muster with most auditors. They were just poorly managed,” they added.
This was in regard to internal security reports from 2016 and 2017 which had been seen by one of the former employees, where the company declared that it was managing to patch between 55 to 70 percent of its systems. POLITICO wrote that the whistleblower had likened this to leaving a house with several windows and doors open.
Whistleblower #2 [US]
The second former US based employee was concerned about how the company fails to appropriately protect control access to system, particularly in regard to employees, at a company whose workforce surpasses one million people.
“You’ve got tens of thousands of … teams connecting to big data. You should have a way to follow all the different types of data,” said the second former US based employee.
“From a technology point of view, you need to know where the data is going and how it’s being protected. That does not exist,” they added.
Whistleblower #3 [EU]
Europe’s notoriously strict General Data Protection Regulation (GDPR) came into effect in May 2018, and the EU-based whistleblower insists to have urged the company to become more compliant to this legislation well in advance.
The former Luxembourg based employee also stated that the company ignored their attempts to highlight this problem, and that Amazon is still far behind in meeting the EU’s GDPR.
POLITICO adds that the EU-based employee is currently in legal proceedings about the terms of their departure in a Luxembourg court.
The problem with GDPR
In theory, the European Union boasts the strictest data protection rules in the world. In execution, it’s a very different story, as no significant investigation concerning privacy malpractices has been concluded since GDPR came into play in May 2018.
A BigTechtopia investigation in October 2020 highlighted a major cause of this problem: EU countries who host Big Tech companies are responsible for leading these investigations and bringing them to the EU’s attention. However, such is the financial importance of these companies to their host nations that investigators turn a blind eye.
Ireland, as the clearest example, hosts Facebook, Microsoft and Apple’s European headquarters, and the Big Tech trio have made 14 green-field investments in the country from January 2010 to June 2020, more than any other EU state.
Data centres have contributed €7.13 billion to Ireland’s economy since 2010 – 12 more facilities are under construction and another 26 are being planned. Ireland expects €6.7 billion in investment between now and 2025, adding to the €6.2 billion that has been invested in the sector thus far.
Luxembourg responds: No sanctions for Amazon
As is the case with Ireland, Luxembourg ignores data privacy breaches committed by Amazon due to its economic importance to the country where the US company has its EU headquarters.
Within 48 hours of the three whistleblowers coming forward to POLITICO, Luxembourg proved the above, stating that it would not be taking any drastic action against Amazon.
“The aim is not to have big sanctions, the aim is to have a change in culture,” Marc Lemmer, a commissioner at the Luxembourg data protection agency, told POLITICO.