Amazon Confirms Employee Data Breach Following MOVEit Attack on Third-Party Vendor
Amazon has confirmed that employee data was compromised following a security breach at one of its third-party vendors. In a statement to TechCrunch on Monday, Amazon spokesperson Adam Montgomery assured that Amazon and Amazon Web Services (AWS) systems remain unaffected, emphasizing that the breach only involved contact information of Amazon employees.
The data exposed includes work email addresses, desk phone numbers, and office locations, Montgomery explained. The unnamed vendor reportedly does not have access to more sensitive information such as Social Security numbers or financial details, and the security vulnerability has since been patched.
The breach came to light after a hacker, using the alias “Nam3L3ss,” claimed on the hacking forum BreachForums to have published data stolen from Amazon as part of a larger leak. The hacker alleges they possess over 2.8 million lines of data, much of it collected during last year’s MOVEit Transfer breach. This breach, which exploited a zero-day vulnerability in Progress Software’s MOVEit file-transfer platform, became the largest cybersecurity incident of 2023. The notorious Clop ransomware gang has claimed responsibility, impacting over 1,000 organizations globally.
Other affected entities in the MOVEit breach include the Oregon Department of Transportation, Colorado’s Department of Health Care Policy and Financing, and government services provider Maximus, with millions of records exposed. Hudson Rock, a cybersecurity firm tracking the incident, reports that Nam3L3ss claims to have more data releases planned.
Amazon has yet to disclose the exact number of employees impacted by this breach, but the incident underscores ongoing vulnerabilities in third-party vendor relationships amidst increasingly sophisticated cyberattacks.