Amazon Data Breached with Millions of Employee Records Exposed
On November 11, 2024, Amazon confirmed a significant data breach impacting a substantial amount of its employee data. The breach stemmed from a security incident at a third-party service provider, which was targeted in the May 2023 MOVEit attacks. The threat actor, known as Nam3L3ss, publicly released over 2.8 million lines of Amazon employee data on a hacking forum.
Details of the Amazon Employee Data Breach
The leaked data included sensitive employee information such as names, contact information (including work email addresses and desk phone numbers), and building locations. Amazon spokesperson Adam Montgomery confirmed the breach, emphasizing that Amazon and AWS systems remained secure and that the company itself did not experience a direct security event.
“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Montgomery stated.
He clarified that the only Amazon information compromised was employee work contact information; sensitive data like Social Security numbers, government identification, or financial information were not accessed.
The Role of the Third-Party Vendor and the MOVEit Attacks
The compromised third-party vendor, a property management company, had access to employee contact information. The vendor has since addressed the security vulnerability exploited in the attack. The May 2023 MOVEit attacks, which leveraged a zero-day vulnerability in the MOVEit Transfer secure file transfer platform, are implicated in this data breach.
This vulnerability allowed the threat actor to steal data from numerous organizations. The timing of the data leak coincides with the MOVEit attacks, which occurred during the long US Memorial Day holiday.
Wider Impact of the MOVEit Data Theft
Nam3L3ss, the threat actor responsible for the Amazon employee data breach, also leaked data from twenty-five other companies. While some data was obtained from the MOVEit attacks, Nam3L3ss indicated that additional data was harvested from various exposed internet sources, including publicly accessible databases and backups.
“I download entire databases from exposed web sources including mysql, postgres, SQL Server databases and backups, azure databases and backups etc and then convert them to csv or other format,” they explained.
The list of affected companies includes prominent names such as Lenovo, HP, TIAA, Schwab, HSBC, Delta, McDonald’s, and MetLife, highlighting the extensive reach of the MOVEit attacks. The data leaked for each company is largely consistent, suggesting a common origin point in the compromised vendor.
Data Volume and Impact on Businesses
The table below illustrates the number of employees affected at various companies:
| Company | Date Stolen | Number of Employees |
|---|---|---|
| Lenovo | 2023-05 | 45,522 |
| McDonald’s | 2023-05 | 3,295 |
| HP | 2023-05 | 104,119 |
| City National Bank | 2023-05 | 9,358 |
| BT | 2023-05 | 15,347 |
| dsm-firmenich | 2023-05 | 13,248 |
| Rush University | 2023-05 | 15,853 |
| URBN | 2023-05 | 17,553 |
| Westinghouse | 2023-05 | 18,193 |
| UBS | 2023-05 | 20,462 |
| TIAA | 2023-05 | 23,857 |
| OmnicomGroup | 2023-05 | 37,320 |
| Bristol-Myers Squibb | 2023-05 | 37,497 |
| 3M | 2023-05 | 48,630 |
| Schwab | 2023-05 | 49,356 |
| Leidos | 2023-05 | 52,610 |
| Canada Post | 2023-05 | 69,860 |
| Amazon | 2023-05 | 2,861,111 |
| Delta | 2023-05 | 57,317 |
| Applied Materials | 2023-05 | 53,170 |
| Cardinal Health | 2023-05 | 407,437 |
| US Bank | 2023-05 | 114,076 |
| fmr.com | 2023-05 | 124,464 |
| HSBC | 2023-05 | 280,693 |
| MetLife | 2023-05 | 585,130 |
The sheer volume of data leaked underscores the severity of the Amazon data breach and the broader impact of the MOVEit vulnerabilities. The incident serves as a stark reminder of the importance of robust cybersecurity measures across the supply chain. The scale of the Amazon employee data breach and the involvement of numerous other major corporations demonstrate the far-reaching consequences of vulnerabilities in third-party systems.
