Another data breach? Amazon India leaks sellers information in tech error

A month later, US-headquartered e-commerce giant Amazon has again witnessed another glitch, this time on its India portal.

Sources in the know said that the glitch was reported internally last and left exposed some of its sellers’ private financial information to other users. Sellers downloading their monthly financial reports (data of their sales through Amazon.in) were served with those of other vendors, leading to a breach of competitive businesses data.

Amazon India confirmed the incident and said that as soon as the breach came to its notice, technical teams were pressed into action to resolve the issue. The company did not reveal the numbers of sellers affected by the glitch.

“On Sunday, some sellers who attempted to download merchant tax reports for the month of December 2018 experienced a technical issue,” Amazon India said. “Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct reports.”

Though the firm said it was able to contain the issue, unsolicited exposure of a firm’s data has spooked e-commerce users. The merchant tax reports, that were accidently passed on to unintended recipients, contained data including sales, category-wise split and inventory data. If found by rivals, this could prove to be of material value to them and detrimental to the merchant whose data was outed, experts said.

Such instances almost always have an impact on users' trust, said Saket Modi, chief executive of Lucideous, a New Delhi-based cybersecurity consultancy. “Being hacked is not uncommon. What matters is whether these lapses are responded to swiftly and in the right manner.”

It could not be determined immediately whether any number of Amazon sellers have raised a complaint yet. Amazon India has 150 million registered users and around 4 million merchants sell on its platform.

Last year, Amazon.com faced a similar, but larger breach. It had said that an unknown number of email addresses were left exposed due to a technical error. Though it was resolved swiftly, Amazon had declined to share the number of users affected, the scope of the breach or what caused the error. Sources had told Business Standard at the time that data of some Indian users may have also been compromised.

The issue of safety of user data took centre stage after Facebook, the global social media giant, disclosed that an obscure gaming app fed users’ data to political data mining firm Cambridge Analytica without authorisation in early 2018. Data of about 87 million users, by one estimate, were left exposed.

EarlySalary, a fin-tech start-up, was the victim of a ransomware attack in October. The attacker was looking to extort ransom against data of at least 20,000 users that it had accessed from an earlier version of its website.

Food start-up FreshMenu had also faced a data breach that left exposed the personal details of 110,000 users. What irked users was that the firm admitted to the breach two years later.

At the moment, the country does not have a provision for a user, whose data has been exposed, to recover damages from companies responsible for this. A section in the draft Data Protection Bill, which is undergoing consultations and pruning, however, lays down directives for early disclosure of leaks and a mechanism to try cases pertaining to such lapses.

“In the current form, it has been proposed that if a company's customer data is breached, it is liable to a penalty of 4 per cent of its global revenues. Criminal liability has been proposed too,” Modi said.

The Bill is likely to be tabled in Parliament in June.