Amazon confirms employee data breach, but company says financial details remain secure
Amazon has confirmed a data breach involving employee information, triggered by a vulnerability in a third-party property management vendor's system. The breach exposed work-related contact details, such as email addresses, desk phone numbers, and building locations, following the exploitation of the MOVEit Transfer vulnerability from 2023.
MOVEit Vulnerability Details
The vulnerability, identified as CVE-2023-34362, is an SQL injection flaw within MOVEit Transfer software, which allowed cybercriminals to bypass authentication and access sensitive data. The flaw was first exploited in May 2023 and impacted numerous major firms. The hacker group "Nam3L3ss" revealed the stolen data, which includes details of over 2.8 million individuals, affecting companies like Lenovo, HP, and HSBC. This breach has raised concerns about supply chain security and the vulnerabilities posed by third-party vendors.
Amazon's Response
Amazon spokesperson Adam Montgomery confirmed the breach, stating that only employee work contact information was affected. “The only Amazon information involved was employee work contact information,” Montgomery said. He further clarified that sensitive data, such as Social Security numbers and financial details, remained secure. Montgomery assured that Amazon's core systems, including Amazon Web Services (AWS), were unaffected by the breach. While the third-party vendor’s security flaws have been addressed, the company did not disclose the number of employees impacted.
Ongoing Security Risks
This incident highlights the ongoing risks businesses face when relying on third-party services. Despite the MOVEit vulnerability being patched in 2023, its aftermath continues to affect numerous organizations. The breach serves as a reminder of the critical need for robust cybersecurity practices across supply chains and vendor networks.
Global Impact of MOVEit Vulnerability
The breach is part of a broader wave of cyberattacks exploiting the MOVEit flaw, which has impacted over 2,000 organizations globally, exposing personal data of millions. As the cybercrime group Nam3L3ss has warned of additional leaks, it’s evident that risks from third-party dependencies remain a significant concern for businesses worldwide.