A former Amazon executive says the company doesn’t take customer data protection seriously enough. “It was put together by tape and bubblegum,” ex-chief information security officer Gary Gagnon says in a new report published today by Wired and the Center for Investigative Reporting’s Reveal. Their investigation documents show Amazon’s mission to track and analyze every move we make as consumers—”What you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who’s at your front door”—has backfired into a sort of Achilles’ heel for data security.
Gagnon says when he started in 2017, customer data protection was almost an afterthought. “It was shocking to me,” he tells Wired and Reveal. New consumer product launches were shrouded in “utmost secrecy,” yet employees were given astounding amounts of access to practically everything else, including customer information—with no checks in place to prevent abuse. In addition, the data breaches were “breathtaking.” (According to Wired, for 2 years, 24 million customers’ names and credit-card numbers sat outside Amazon’s secure payment zone. Amazon spokesperson Jen Bemisderfer told Fast Company, “There is no evidence to suggest the data was ever exposed outside of our internal system or misused in anyway.”)
Gagnon also notes that his team numbered about 300 when he was hired, but should have been “more like 1,000.” When he asked for more resources, global consumer business CEO Jeff Wilke would usually turn down the request. Gagnon came to believe InfoSec was seen as dead weight: Amazon Web Services’ separate security team had the ability to generate revenue through cloud data-protection products, but the consumer team was seen as draining money from the cool projects that “made Amazon faster, more profitable, and more pleasurable.” The publications report Gagnon warned that Amazon was expanding too fast, and that the casualty was going to be data security.
A spokesperson for Amazon issued the following statement when Fast Company reached out for a comment: “The claims made in the ‘Wired’ story are based on information that is outdated and out-of-context and have absolutely no bearing on Amazon’s current security posture.”